Open franciscojs12 opened 2 years ago
jesse-mm
commented
2 years ago I've checked these packages and most of them are only being used while packaging the project. So these form no risk. We need to check if we can update direct dependencies like modernizr & handlebars.
Btw I didn't see swiper coming back from vulnerable dep list, is this a project specific dependency ?
franciscojs12
commented
2 years ago @jesse-mm yes, Swiper is a project specific dependency, sorry I didn't filter that out!
franciscojs12
commented
2 years ago How can I evaluate what kind of actual danger the high/critical vulnerabilities found in modernizr and handlebars actually impose in the project I’m working?
Handlebars has prototype pollution, arbitrary code execution and remote code execution when compiling templates.
Modernizr has prototype pollution in the y18n dependency
jesse-mm
commented
2 years ago The vulnerabilities are posing a risk mostly when compiling on the build server / or locally. In that case to exploit it an attacker would need to have access to the code / or the machine where it's built on. In the latter case the damage is already done.
I would suggest to read up on this blog post https://overreacted.io/npm-audit-broken-by-design/
Running "muban-core": "^2.1.2".
26 vulnerabilities found - Packages audited: 162 Severity: 8 Low | 4 Moderate | 11 High | 3 Critical
What can we do about this?
Complete audit here: