There are a lot of vulnerabilities in dependencies

[paimon0715]

Hi,@agubler

Issue

42 vulnerabilities (32 high,9 medium and 1 low severity) are introduced in @dojo/webpack-contrib,and there are some examples: 1.Vulnerability CVE-2020-6541 (high severity) is detected in package electron (versions: >=7.0.0 <7.3.3,>=8.0.0 <8.5.1,>=9.0.0 <9.2.2): https://snyk.io/vuln/SNYK-JS-ELECTRON-608662 2.Vulnerability CVE-2021-23337 (high severity) is detected in package lodash (versions:<4.17.21):https://snyk.io/vuln/SNYK-JS-LODASHTEMPLATE-1088054 3.Vulnerability CVE-2020-7598 (medium severity) is detected in package minimist (versions: <0.2.1,>=1.0.0 <1.2.3): https://snyk.io/vuln/SNYK-JS-MINIMIST-559764 4.Vulnerability CVE-2019-5786 (high severity) is detected in package puppeteer (versions:<1.13.0):https://snyk.io/vuln/SNYK-JS-PUPPETEER-174321 5.Vulnerability CVE-2020-28469 (medium severity) is detected in package glob-parent (versions:<5.1.2): https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905 6.Vulnerability npm:mem:20180117 (medium severity) is detected in package mem (versions:<4.0.0): https://snyk.io/vuln/npm:mem:20180117 7.Vulnerability CVE-2020-7608 (medium severity) is detected in package yargs-parser (versions:>5.0.0-security.0 <5.0.1,>=6.0.0 <13.1.2,>=14.0.0 <15.0.1,>=16.0.0 <18.1.1):https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381

The above vulnerable packages are referenced by @dojo/webpack-contrib via: 1.@dojo/webpack-contrib@7.0.7 ➔ electron@7.1.14 2.@dojo/webpack-contrib@7.0.7 ➔ lodash@4.17.4 3.@dojo/webpack-contrib@7.0.7 ➔ mkdirp@0.5.1 ➔ minimist@0.0.8 4.@dojo/webpack-contrib@7.0.7 ➔ puppeteer@1.11.0 5.@dojo/webpack-contrib@7.0.7 ➔ typed-css-modules@0.3.7 ➔ chokidar@2.1.8 ➔ glob-parent@3.1.0 6.@dojo/webpack-contrib@7.0.7 ➔ typed-css-modules@0.3.7 ➔ yargs@8.0.2 ➔ os-locale@2.1.0 ➔ mem@1.1.0 7.@dojo/webpack-contrib@7.0.7 ➔ typed-css-modules@0.3.7 ➔ yargs@8.0.2 ➔ yargs-parser@7.0.0

Solution

Since *_@dojo/webpack-contrib@7.0._ is transitively referenced by 3** downstream projects ( @dojo/cli-build-app 7.0.4 (latest version), @dojo/cli-build-widget 7.0.0 (latest version), @dojo/cli-build-theme 7.0.0 (latest version),

If *_@dojo/webpack-contrib@7.0._** removes the vulnerable packages from the above version, then its fixed version can help downstream users decrease their pain.

Could you help update packages in this version?

Fixing suggestions

In *_@dojo/webpack-contrib@7.0._**, you can kindly perform the following upgrades (not crossing their major versions): 1.electron ~7.1.7 ➔ ~7.3.3;

Note: electron ~7.3.3 has fixed the vulnerabilities (e.g.,CVE-2020-6541,CVE-2020-6532,CVE-2020-4075)

2.lodash 4.17.4 ➔ 4.17.21;

Note: lodash 4.17.21 has fixed the vulnerabilities (e.g.,CVE-2020-28500,CVE-2020-8203,CVE-2019-1010266)

3.mkdirp 0.5.1 ➔ 0.5.2;

Note: mkdirp 0.5.2 directly depends on minimist@1.2.5 (a vulnerability CVE-2020-7598 patched version)

4.puppeteer 1.11.0 ➔ 1.13.0;

Note: puppeteer 1.13.0 has fixed the vulnerability CVE-2019-5786

5.typed-css-modules 0.3.7 ➔ 0.6.4;

Note: typed-css-modules 0.6.4 transitively depends on glob-parent@5.1.2 (a vulnerability CVE-2020-28469 patched version), mem(a vulnerability npm:mem:20180117 patched version) and yargs-parser@18.1.3(a vulnerability CVE-2020-7608 patched version)

Thanks for your contributions to the npm ecosystem!

Best regards, Paimon

[matt-gadd]

We do not accept automated npm audit vulnerability reports to this repository. This is simply because these "vulnerabilities" do not affect downstream userland code. Feel free to re-open this issue if you do have concrete reproductions of the above packages being exploited in downstream dojo code though 👍.