search

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)
https://fleetdm.com
Other
3.13k stars 432 forks source link

Frontend dependency `msw` has dependency on vulnerable version of `path-to-regexp` #23128

Open lukeheath opened 3 weeks ago

lukeheath commented 3 weeks ago

Fleet version: 4.58.0

💥  Actual behavior

There are two high severity vulnerability reports:

  1. https://github.com/fleetdm/fleet/security/dependabot/268
  2. https://github.com/fleetdm/fleet/security/dependabot/269

The express dependency is okay because it uses 0.1.10 of path-to-regexp which has been patched.

We're on an old version of msw that uses path-to-regexp 6.2.0, which has not been patched. If we bring msw up to v2 we should be good.

🧑‍💻  Steps to reproduce

  1. View dependabot reports

🕯️ More info (optional)

N/A

lukeheath commented 3 weeks ago

@georgekarrv @ghernandez345 I noticed this high severity vulnerability report that flew under the radar. Since it's been open for a month, I'm adding the P2 label so we can resolve quickly per our security SLA.

ghernandez345 commented 2 weeks ago

@lukeheath I had to add a package jest-fixed-jsdom in order to update msw to v2. This package needed a change so I made a PR request to it. I'm gonna wait to see if this gets merged so I can use the new release version of this package that includes my change.

is this ok or do we need to fix this urgently? If so I can use my fork of jest-fixed-jsdom.

lukeheath commented 2 weeks ago

@ghernandez345 Thanks! It's high severity but nothing that impacts us so it's okay to wait a little. If they don't merge by end of the sprint maybe just go with your fork.