Evangelink
commented
1 year ago Hi @mmanela, would it be possible for you to review this PR? It would help us to be able to remove this security issue from our radar.
Closed Evangelink closed 1 year ago
Evangelink
commented
1 year ago Hi @mmanela, would it be possible for you to review this PR? It would help us to be able to remove this security issue from our radar.
Evangelink
commented
1 year ago Ping @mmanela
mmanela
commented
1 year ago Sorry for the delay. Did you validate if everything works? I remember years ago I had looked at a JSDOM updated and it broke a lot. @Evangelink
Evangelink
commented
1 year ago I haven't done any extra manual test no. I assumed that there was integration tests that would catch such issue. Happy to run any test but I would need some guidance from you because I am not really using your tool per say. I am part of the MS test platform team and we simply have some acceptance tests using your tool to ensure we don't break compatibility for JS testing (meaning that I am not actively using this tool). I am happy to learn because I expect to be doing regular PRs here for security reasons.
mmanela
commented
1 year ago The other thing to consider @Evangelink is that this is not really a vulnerability that need actioning. Chutzpah is not a server application and is just run local client app. The risk for exposure is super minimal. Chutzpah gets flagged for these things though since the libs it uses may be used in web sites that are actually exploitable.
Evangelink
commented
1 year ago Sadly it will be harder for us to investigate, justify and ensure that vulnerabilities can't be exploited in any way rather than "simply" bumping the dependencies. Although I understand this will generate some extra review/release job on your side.
Fixes #818
When doing a local build, the logs were saying that the package-lock.json files were using old mechanism and will be auto-updated to new format.