search

jaredpalmer / tsdx

Zero-config CLI for TypeScript package development
https://tsdx.io
MIT License
11.28k stars 507 forks source link

Upgrade ts-jest and rollup-plugin-terser to fix vulnerabilities #803

Closed gjgd closed 4 years ago

gjgd commented 4 years ago

In my project using the v0.13.2, when running npm audit I get security alerts coming from tsdx dependencies

Upgrading those dependencies should fix the problem

Full details

➜ npm audit

                       === npm audit security report ===

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ yargs-parser                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ tsdx [dev]                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ tsdx > ts-jest > yargs-parser                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1500                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Remote Code Execution                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ serialize-javascript                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.1.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ tsdx [dev]                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ tsdx > rollup-plugin-terser > serialize-javascript           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1548                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 2 vulnerabilities (1 low, 1 high) in 1108 scanned packages
  2 vulnerabilities require manual review. See the full report for details.
agilgur5 commented 4 years ago

One is a duplicate of #797 which itself is a duplicate of https://github.com/formium/tsdx/pull/731#issuecomment-672246494, the other is a duplicate of #679 . Please use the search before filing issues

The low severity is also from a testing dependency, ts-jest, doesn't affect your build output.

Upgrading those dependencies should fix the problem

Neither of these are direct dependencies of TSDX, they're both two levels up upstream and both are breaking changes.