Closed jeran-urban closed 11 months ago
for now I am using an override in my package.json file:
"overrides": {
"glob-parent":"^5.1.2"
},
This is working, but still evaluating if there are any repercussions using this workaround as this project does use glob strings in the gulp configuration
Reported from Snyk as of 03/26/23
Issues with no direct upgrade or patch:
✗ Regular Expression Denial of Service (ReDoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908] in ansi-regex@2.1.1
introduced by @uswds/compile@1.0.0 > gulp@4.0.2 > gulp-cli@2.3.0 > yargs@7.1.2 > string-width@1.0.2 > strip-ansi@3.0.1 > ansi-regex@2.1.1 and 4 other path(s)
This issue was fixed in versions: 3.0.1, 4.1.1, 5.0.1, 6.0.1
✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-UNSETVALUE-2400660] in unset-value@1.0.0
introduced by @uswds/compile@1.0.0 > gulp@4.0.2 > glob-watcher@5.0.5 > chokidar@2.1.8 > braces@2.3.2 > snapdragon@0.8.2 > base@0.11.2 > cache-base@1.0.1 > unset-value@1.0.0 and 30 other path(s)
This issue was fixed in versions: 2.0.1
Special Note
In digging into this deeper, this appears to be an issue with Gulp, instead of this repo as uswds is on the latest version of gulp and all of the dependency issues reside with gulp 4.0.2. Uswds will need to be upgraded once Gulp fixes its issues
Describe the bug
The issue I am seeing is that USWDS-Compile relies on a version of Gulp that has a transitive dependency with a valid vulnerability:
https://security.snyk.io/package/npm/glob-parent
this version of gulp also has a transitive dependency vulnerability for yargs-parser:
Steps to reproduce the bug
run npm install uswds-compile run npm audit
Expected Behavior
there should be no errors, would it be possible to upgrade the gulp dependency to a version that is not affected by this?
Related code
No response
Screenshots
No response
System setup
No response
Additional context
No response
Code of Conduct