snvboy
commented
1 year ago any updates here? I think one of the dependencies may have a vulnerability in the version of moment.js being used
Closed mattezra closed 1 year ago
snvboy
commented
1 year ago any updates here? I think one of the dependencies may have a vulnerability in the version of moment.js being used
mattezra
commented
1 year ago @shrunyan
I have the tests running but skipped 2 test cases (which are failing) and have updated the dependencies to remove high and critical vulnerabilities. One more high vulnerability is not removed which is for ava. We need to use ava@5.0.1 to fix this vulnerability but this version only supports Node.js 14.19, 16.16 or 18 (See ava releases). Upgrading from Node 10 to 14, 16 or 18 would break how the tests were implemented as AVA no longer compiles helpers.
See the following vulnerabilities when still using ava@2.4.0 but other dependencies already updated (moment, husky, etc.):
High: Uncontrolled Resource Consumption in trim-newlines
Package: trim-newlines
Dependency of: ava [dev] Path: ava > meow > trim-newlines More info: https://github.com/advisories/GHSA-7p7h-4mm5-852vModerate: Got allows a redirect to a UNIX socket Package: got
Dependency of: ava [dev] Path: ava > update-notifier > latest-version > package-json > got More info: https://github.com/advisories/GHSA-pfrx-2q88-qq97Moderate: yargs-parser Vulnerable to Prototype Pollution Package: yargs-parser
Dependency of: ava [dev] Path: ava > meow > yargs-parser More info: https://github.com/advisories/GHSA-p9pc-299p-vxgp
NEXT STEP: Wanted to touch base with you first and get your thoughts on if we would go the route of either:
ava@5.0.1, upgrade node version to Node16 and update our tests in node-sdkava2.4.0 and Node10 but the 3 vulnerabilities mentioned above will still be presentmattezra
commented
1 year ago @shrunyan
Need to update the dependencies to remove high and critical vulnerabilities.
Need to run the test suite before and after update to ensure everything functions.