gh-pages vulnerability

[lbeaufort]

Snyk link: https://app.snyk.io/org/fecfile/project/a183c06f-05e3-467f-89c7-64275c6790f7#issue-SNYK-JS-INFLIGHT-6095116

Introduced through: gh-pages@6.1.1

Note: This library is not maintained, and currently, there is no fix for this issue. To overcome this vulnerability, several dependent packages have eliminated the use of this library.

QA Notes

null

DEV Notes

null

Design

null

See full ticket and images here: FECFILE-1635

[exalate-issue-sync[bot]]

David Heitzer commented: I found that the Note: on this ticket refers to the inflight library (gh-pages is still maintained, but their globby 6.1.0 dependency is from 2016 and depends on inflight). Newer versions of globby don’t depend on inflight, so we may want to open an issue for gh-pages to update globby.

[~accountid:5b92c509d0b4022bdc51bdf4] what do you think about this approach for this? Otherwise, we would need to get off of gh-pages altogether.

[exalate-issue-sync[bot]]

David Heitzer commented: It looks like there’s already a [repo issue|https://github.com/tschaub/gh-pages/issues/483] to update Globby. Until this happens, Snyk will report this vulnerability. I added a comment on this issue as well. This ticket will need to be on-hold until the dependency package addresses this.

[exalate-issue-sync[bot]]

David Heitzer commented: need to be on-hold until gh-pages dependency updates its globby dependency version.

[exalate-issue-sync[bot]]

Todd Lees commented: Moving to in progress because it's on hold

[exalate-issue-sync[bot]]

David Heitzer commented: Forgot to remove the on_hold flag - moving back to CR.