search

pamepeixinho / jest-coverage-badges

Create jest coverage badges (from all jest types)
MIT License
103 stars 177 forks source link

Update `makedir` dependency to resolve known security issue #19

Open amclin opened 3 years ago

amclin commented 3 years ago

Security vulnerability in mkdir dependency

Summary

TL;DR: jest-coverage-badges depends on an outdated version of mkdir with security vulnerabilities Age: LEGACY

Estimated cost: SIMPLE

Description :clipboard:

run npm audit

                       === npm audit security report ===                        

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.2.1 <1.0.0 || >=1.2.3                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ jest-coverage-badges [dev]                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ jest-coverage-badges > mkdirp > minimist                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1179                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 low severity vulnerability in 3 scanned packages

Impact :bomb:

Any projects using jest-coverage-badges are getting security warnings (and with NPM 7, non-zero exit codes) on npm install

Critical in: 2 MONTHS

Proposed solutions :squirrel:

Update mkdirp dependency to latest which no longer depends on the problematic minimist library

(if don't you have any solution in mind, write it) This Tech debts still don't have any proposed issue.

(if you have solutions in mind, describe it below) Solution 1.

Observations :thinking:

Files related

files related

Other evidences

Depends on issue X

flisboac commented 2 years ago

Any updates on this issue?

christophe77 commented 2 years ago

You can use this package : https://www.npmjs.com/package/jest-coverage-badges-ts