Open akhenry opened 5 years ago
At the time that this was filed, at least one package was vulnerable. When we removed karma-html-reporter
https://github.com/nasa/openmct/pull/4416 we removed most of the security issues found in our repo reported from lodash
At this time, there is only a single vulnerability reported on the webpack5-upgrade
branch:
=== npm audit security report ===
# Run npm install --save-dev eslint@8.1.0 to resolve 1 vulnerability
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Inefficient Regular Expression Complexity in │
│ │ chalk/ansi-regex │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ ansi-regex │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ eslint [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ eslint > table > string-width > strip-ansi > ansi-regex │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://github.com/advisories/GHSA-93q8-gq69-wqmw │
└───────────────┴──────────────────────────────────────────────────────────────┘
Normally, dependabot would detect these vulnerabilities for us and open a PR. Unfortunately, because of https://github.com/nasa/openmct/issues/4428 we are not aware of these vulnerabilities. We should consider:
npm
scriptsnpm audit --audit-level=medium
Run npm audit
and verify that there are no >=Medium security issues
Verify that the nightly CircleCI job includes a failed step for npm audit --audit-level=low
I'm not sure if I'm doing this correctly. I pulled down release/1.8.1
and on running npm audit
I'm seeing 27 vulnerabilities, 17 moderate and 10 high.
@khalidadil that is correct! This is now blocked by the webpack
PR
Note: This is blocked on the webpack PR. Re-opening
NPM is currently reporting a number of vulnerabilities in dependencies. Many of these vulnerabilities are in the dev server and build tooling, and do not represent vulnerabilities in the running application itself.
Will address by updating dependency versions and regression testing for next release.