adcosta118
commented
1 year ago The version 5.98.0 still has a dependency on this vulnerable package. Is there currently a workaround for this?
Open ANDuff opened 1 year ago
adcosta118
commented
1 year ago The version 5.98.0 still has a dependency on this vulnerable package. Is there currently a workaround for this?
octogonz
commented
1 year ago This is one of those "high vulnerability" false alarms that sadly undermines the credibility of all security advisories because:
The underlying disconnect is that such auditing tools ignore the usage context (production website? internal dashboard? build tool? etc), and instead expect that projects should fix all vulnerabilities no matter how obviously irrelevant. But doing so often has a significant engineering cost.
We should try to get yaml upgraded. If someone wants to contribute a PR, that would be very welcome. (This position puts us ahead of many other major OSS maintainers, who have started disdainfully rejecting such false alarms: https://github.com/facebook/docusaurus/issues/7275#issuecomment-1113997259)
octogonz
commented
1 year ago Looks like the fix needs to be made upstream, and @iclanton already created a PR: https://github.com/depcheck/depcheck/pull/802
So the problem is basically external to this repo.
Summary
When running a build in ADO with the latest rush version component governance flags CVE-2023-2251 as a high vulnerability which is due to yaml version 1.10.2.
Details
The nesting of this is as follows: @microsoft/rush@5.97.1 ├─ @microsoft/rush-lib@5.97.1 │ ├─ npm-check@6.0.1 │ │ ├─ depcheck@1.4.3 │ │ │ ├─ cosmiconfig@7.1.0 │ │ │ │ └─ yaml@1.10.2
Standard questions
Please answer these questions to help us investigate your issue more quickly:
@microsoft/rushglobally installed version?rushVersionfrom rush.json?useWorkspacesfrom rush.json?node -v)?