Issues with no direct upgrade or patch:
✗ Regular Expression Denial of Service (ReDoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908] in ansi-regex@2.1.1
introduced by @uswds/compile@1.1.0 > gulp@4.0.2 > gulp-cli@2.3.0 > yargs@7.1.2 > string-width@1.0.2 > strip-ansi@3.0.1 > ansi-regex@2.1.1 and 4 other path(s)
This issue was fixed in versions: 3.0.1, 4.1.1, 5.0.1, 6.0.1
✗ Uncontrolled resource consumption [High Severity][https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727] in braces@2.3.2
introduced by @uswds/compile@1.1.0 > gulp@4.0.2 > glob-watcher@5.0.5 > chokidar@2.1.8 > braces@2.3.2 and 6 other path(s)
This issue was fixed in versions: 3.0.3
✗ Missing Release of Resource after Effective Lifetime [Medium Severity][https://security.snyk.io/vuln/SNYK-JS-INFLIGHT-6095116] in inflight@1.0.6
introduced by @uswds/compile@1.1.0 > del@6.1.1 > rimraf@3.0.2 > glob@7.2.3 > inflight@1.0.6 and 1 other path(s)
No upgrade or patch available
✗ Inefficient Regular Expression Complexity [High Severity][https://security.snyk.io/vuln/SNYK-JS-MICROMATCH-6838728] in micromatch@3.1.10
introduced by @uswds/compile@1.1.0 > gulp@4.0.2 > glob-watcher@5.0.5 > anymatch@2.0.0 > micromatch@3.1.10 and 5 other path(s)
This issue was fixed in versions: 4.0.6
✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-UNSETVALUE-2400660] in unset-value@1.0.0
introduced by @uswds/compile@1.1.0 > gulp@4.0.2 > glob-watcher@5.0.5 > chokidar@2.1.8 > braces@2.3.2 > snapdragon@0.8.2 > base@0.11.2 > cache-base@1.0.1 > unset-value@1.0.0 and 30 other path(s)
This issue was fixed in versions: 2.0.1
Solution
Updated snyk ignore. Ran the following in the command line:
npx snyk ignore --id="SNYK-JS-BRACES-6838727" --reason="No available upgrade or patch"
npx snyk ignore --id="SNYK-JS-MICROMATCH-6838728" --reason="No available upgrade or patch"
npx snyk ignore --id="SNYK-JS-UNSETVALUE-2400660" --reason="No available upgrade or patch"
npx snyk ignore --id="SNYK-JS-ANSIREGEX-1583908" --reason="No available upgrade or patch"
npx snyk ignore --id="SNYK-JS-INFLIGHT-6095116" --reason="No available upgrade or patch"
Summary
Updated snyk ignore files
Problem statement
npx snyk test
is throwing the following error:Solution
Updated snyk ignore. Ran the following in the command line:
Testing and review
To test, run
npx snyk test
and check for errors.Reference
Ignoring Snyk alerts (Google docs :lock:)