bruceharrison1984
commented
2 years ago Most of the deps can be upgraded without requiring any changes. Some overrides are required because gulp hasn't been updated since 2019. You may consider dropping it in favor of something like grunt specifically because it is still actively maintain, and webpack seems like overkill here.
bootstrap cannot be easily upgraded due to a large number of breaking changes between v4 and v5.
node-sass should also be dropped and replaced with sass. It is a direct replacement, and node-sass has been deprecated for quite some time.
{
"version": "1.0.0",
"name": "skoruba-duende-identity-server-admin-sts",
"description": "The administration for the Duende IdentityServer and Asp.Net Core Identity",
"author": "Jan Skoruba & jan@skoruba.com",
"license": "MIT",
"private": true,
"resolutions": {
"natives": "1.1.3"
},
"scripts": {
"build-assets": "npx gulp build"
},
"dependencies": {
"bootstrap": "4.6.2",
"bootswatch": "4.6.2",
"cookieconsent": "3.1.1",
"font-awesome": "4.7.0",
"holderjs": "2.9.9",
"jquery": "3.6.0",
"jquery-validation": "1.19.5",
"jquery-validation-unobtrusive": "4.0.0",
"open-iconic": "1.1.1",
"popper.js": "1.16.1",
"sass": "^1.54.4"
},
"devDependencies": {
"del": "5.1.0",
"gulp": "4.0.2",
"gulp-clean-css": "4.3.0",
"gulp-concat": "2.6.1",
"gulp-sass": "5.1.0",
"gulp-uglify": "3.0.2"
},
"overrides": {
"chokidar": "3.5.3",
"glob-parent": "6.0.2"
}
}// gulpfile.js
// replace this line
var sass = require('gulp-sass');
// with this line
var sass = require('gulp-sass')(require('sass'));Using the above code got rid of all security vulnerabilities in NPM packages.
skoruba
senzacionale
we were running scans of the Duende STS with skoruba container with Amazon Inspector and came across some critical vulnerabilities in the image having to do with the minimist package on the image
https://nvd.nist.gov/vuln/detail/CVE-2021-44906
do you have an update on addressing this?