Open bcbeatty opened 2 years ago
Most of the deps can be upgraded without requiring any changes. Some overrides are required because gulp
hasn't been updated since 2019. You may consider dropping it in favor of something like grunt
specifically because it is still actively maintain, and webpack seems like overkill here.
bootstrap
cannot be easily upgraded due to a large number of breaking changes between v4 and v5.
node-sass
should also be dropped and replaced with sass
. It is a direct replacement, and node-sass
has been deprecated for quite some time.
{
"version": "1.0.0",
"name": "skoruba-duende-identity-server-admin-sts",
"description": "The administration for the Duende IdentityServer and Asp.Net Core Identity",
"author": "Jan Skoruba & jan@skoruba.com",
"license": "MIT",
"private": true,
"resolutions": {
"natives": "1.1.3"
},
"scripts": {
"build-assets": "npx gulp build"
},
"dependencies": {
"bootstrap": "4.6.2",
"bootswatch": "4.6.2",
"cookieconsent": "3.1.1",
"font-awesome": "4.7.0",
"holderjs": "2.9.9",
"jquery": "3.6.0",
"jquery-validation": "1.19.5",
"jquery-validation-unobtrusive": "4.0.0",
"open-iconic": "1.1.1",
"popper.js": "1.16.1",
"sass": "^1.54.4"
},
"devDependencies": {
"del": "5.1.0",
"gulp": "4.0.2",
"gulp-clean-css": "4.3.0",
"gulp-concat": "2.6.1",
"gulp-sass": "5.1.0",
"gulp-uglify": "3.0.2"
},
"overrides": {
"chokidar": "3.5.3",
"glob-parent": "6.0.2"
}
}
// gulpfile.js
// replace this line
var sass = require('gulp-sass');
// with this line
var sass = require('gulp-sass')(require('sass'));
Using the above code got rid of all security vulnerabilities in NPM packages.
Thanks @bruceharrison1984
Can you add this to the new version which will be released?
we were running scans of the Duende STS with skoruba container with Amazon Inspector and came across some critical vulnerabilities in the image having to do with the minimist package on the image
https://nvd.nist.gov/vuln/detail/CVE-2021-44906
do you have an update on addressing this?