search

strongloop / strong-globalize

strong-globalize is built on Unicode CLDR and jquery/globalize and implements automatic extraction of strings from JS source code and HTML templates, lint the string resource, machine-translate them in seconds. In runtime, it loads locale and string resource into memory and provides a hook to persistent logging.
Other
25 stars 16 forks source link

Fix vulnerabilities #172

Closed jannyHou closed 4 years ago

jannyHou commented 4 years ago

Signed-off-by: jannyHou juehou@ca.ibm.com

1st commit: Fix the root level vulnerabilities

jannyHous-MBP:strong-globalize jannyhou$ npm audit

                       === npm audit security report ===                        

found 0 vulnerabilities
 in 1041 scanned packages
jannyHous-MBP:strong-globalize jannyhou$ snyk test

Testing /Users/jannyhou/Desktop/August/strong-globalize...

Organization:      jannyhou
Package manager:   npm
Target file:       package-lock.json
Project name:      strong-globalize
Open source:       no
Project path:      /Users/jannyhou/Desktop/August/strong-globalize
Licenses:          enabled

✓ Tested /Users/jannyhou/Desktop/August/strong-globalize for known issues, no vulnerable paths found.

Tip: Detected multiple supported manifests (5), use --all-projects to scan all of them at once.

Next steps:
- Run `snyk monitor` to be notified about new related vulnerabilities.
- Run `snyk test` as part of your CI/test.

2nd commit: Fix the cli vulnerability caused by https://github.com/strongloop-internal/scrum-apex/issues/445

jannyHous-MBP:cli jannyhou$ npm audit fix
updated 1 package in 2.5s
fixed 1 of 2 vulnerabilities in 571 scanned packages
  1 vulnerability required manual review and could not be updated
jannyHous-MBP:cli jannyhou$ npm audit

                       === npm audit security report ===                        

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.2.1 <1.0.0 || >=1.2.3                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ optimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ optimist > minimist                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1179                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 low severity vulnerability in 571 scanned packages
  1 vulnerability requires manual review. See the full report for details.

The other one will be fixed in https://github.com/strongloop-internal/scrum-apex/issues/446