Open tplante opened 1 year ago
tsvetomir
commented
1 year ago This looks like a false positive, but might be due to a stale package-lock.json file. Try updating the dependencies in your project using npm update.
In more detail, @progress/kendo-licensing depends on jsonwebtoken 9.0.0 which loosely specifies "semver": "^7.3.8". NPM should pick up the latest version during an update.
tplante
commented
1 year ago @tsvetomir I regularly upgrade dependencies, but because of the indirect relationship to semver I don't have control over its version. Yarn only lists dependency versions one layer deep--here's how my yarn.lock looks:
"@progress/kendo-licensing@^1.3.0":
version "1.3.0"
resolved "https://registry.yarnpkg.com/@progress/kendo-licensing/-/kendo-licensing-1.3.0.tgz#92cb1033c56e5b86ef0c5d81ea83e887b4557614"
integrity sha512-Bp5MUX6wVHVUW8ZJUNcFVw9/KwRvP/a9zg2gAwRhpHVlwrSPbIpCMoBRRk32CEzC1tpUsIuQywT95+97HXZDTg==
dependencies:
jsonwebtoken "^9.0.0"Is it possible to resolve this without action from jsonwebtoken?
tsvetomir
commented
1 year ago It should be possible to override indirect dependency versions through the resolutions section:
"resolutions": {
"semver": "^7.5.2"
}
Current behavior
Latest version of
@progress/kendo-licensing(1.3.0) has a dependency onsemver@7.3.8, which exposes a security vulnerability. This is fixed insemver@7.5.2.Expected behavior
@progress/kendo-licensinghas up-to-date, secure dependencies.Minimal reproduction of the problem with instructions
This vulnerability was reported by snyk.io. To reproduce:
@progress/kendo-licensingin your projectsemverReDoS vulnerabilityWhat is the motivation or use case for changing the behavior?
Securing applications that depend on
@progress/kendo-licensingEnvironment
Package versions:
Browser: N/A
System: N/A
Snyk report: