search

uswds / uswds-site

USWDS website and documentation
https://designsystem.digital.gov
Other
189 stars 144 forks source link

USWDS-Site: Fix snyk errors #2672

Closed amyleadem closed 4 months ago

amyleadem commented 4 months ago

Summary

Updated snyk ignore files

Problem statement

npx snyk test is throwing the following error:

Issues with no direct upgrade or patch:
  ✗ Uncontrolled resource consumption [High Severity][https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727] in braces@2.3.2
    introduced by @uswds/compile@1.1.0 > del@6.1.1 > globby@11.1.0 > fast-glob@3.3.2 > micromatch@4.0.5 > braces@3.0.2 and 7 other path(s)
  No upgrade or patch available
  ✗ Inefficient Regular Expression Complexity [High Severity][https://security.snyk.io/vuln/SNYK-JS-MICROMATCH-6838728] in micromatch@3.1.10
    introduced by @uswds/compile@1.1.0 > del@6.1.1 > globby@11.1.0 > fast-glob@3.3.2 > micromatch@4.0.5 and 6 other path(s)
  No upgrade or patch available

Solution

Updated snyk ignore. Ran the following in the command line:

npx snyk ignore --id="SNYK-JS-BRACES-6838727" --reason="No available upgrade or patch"
npx snyk ignore --id="SNYK-JS-MICROMATCH-6838728" --reason="No available upgrade or patch"

To keep all snyk ignores on the same schedule, I also ran the following:

npx snyk ignore --id="SNYK-JS-UNSETVALUE-2400660" --reason="No available upgrade or patch"
npx snyk ignore --id="SNYK-JS-ANSIREGEX-1583908" --reason="No available upgrade or patch"
npx snyk ignore --id="SNYK-JS-INFLIGHT-6095116" --reason="No available upgrade or patch"

Testing and review

To test, run npx snyk test and check for errors.

Reference

Ignoring Snyk alerts (Google docs :lock:)