Closed arpitchauhan closed 1 year ago
Hi @arpitchauhan, thanks for your report 🙏 I'll try to follow up on this with someone on the team
Our own usage of these dependencies use the latest versions, which we update regularly (minimatch, node-sass, postcss). The audit is picking up on sub-dependencies of up-to-date packages, which would be dangerous for us to change manually in our yarn.lock. For the record these are all devDependencies and not production dependencies (including Node and Ruby), so these vulnerabilities are largely not applicable.
Okay, but there's still the issue of using a vulnerable version of Node. I see that it's used for building releases as well. https://github.com/standardnotes/app/blob/main/.github/workflows/desktop.release.reuse.yml#L62
For Ruby, it doesn't seem the version specified in .ruby-version is used for releases, but I may be wrong.
On the
main
branch in the app repository, there are multiple pieces of third-party software that are vulnerable. For instance,NodeJS version is 16.15.1 (a few issues with it)
Ruby version is set to 2.7.5 (issues)
yarn npm audit --all
shows these issues: ├─ minimatch: 3.0.4 │ ├─ Issue: minimatch ReDoS vulnerability │ ├─ URL: https://github.com/advisories/GHSA-f8q6-p94x-37v3 │ ├─ Severity: high │ ├─ Vulnerable Versions: <3.0.5 │ ├─ Patched Versions: >=3.0.5 │ ├─ Via: minimatch │ └─ Recommendation: Upgrade to version 3.0.5 or later │ ├─ node-sass: 6.0.1 │ ├─ Issue: Improper Certificate Validation in node-sass │ ├─ URL: https://github.com/advisories/GHSA-r8f7-9pfq-mjmv │ ├─ Severity: moderate │ ├─ Vulnerable Versions: >=2.0.0 <7.0.0 │ ├─ Patched Versions: >=7.0.0 │ ├─ Via: node-sass │ └─ Recommendation: Upgrade to version 7.0.0 or later │ └─ postcss: 6.0.23 ├─ Issue: Regular Expression Denial of Service in postcss ├─ URL: https://github.com/advisories/GHSA-566m-qj78-rww5 ├─ Severity: moderate ├─ Vulnerable Versions: <7.0.36 ├─ Patched Versions: >=7.0.36 ├─ Via: postcss └─ Recommendation: Upgrade to version 7.0.36 or laterFurthermore, there are outstanding PRs opened by Dependabot (see).
Please ensure that these runtimes/dependencies are updated when security vulnerabilities are identified in them, especially promptly when the severity level is HIGH or CRITICAL. This is critical to ensure the security of your users.
I'm open to assisting by opening PRs as needed.