style-dictionary
style-dictionary copied to clipboard
Security vulnerability tracker devDependencies
Security tracker devDependencies
This issue can be used for tracking security vulnerabilities in our devDependencies which cannot be auto-fixed, which should be acknowledged and actions taken to notify third parties. If they don't respond in due time, we can fork -> fix -> publish and rely on that fork instead until it's fixed in the future.
Current npm audit report dev deps (v4 branch)
got <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/got
package-json <=6.5.0
Depends on vulnerable versions of got
node_modules/package-json
latest-version 0.2.0 - 5.1.0
Depends on vulnerable versions of package-json
node_modules/latest-version
update-notifier 0.2.0 - 5.1.0
Depends on vulnerable versions of latest-version
node_modules/update-notifier
docsify-cli >=1.1.0
Depends on vulnerable versions of docsify
Depends on vulnerable versions of update-notifier
node_modules/docsify-cli
marked <=4.0.9
Severity: high
Regular Expression Denial of Service (REDoS) in Marked - https://github.com/advisories/GHSA-4r62-v4vq-hr96
Inefficient Regular Expression Complexity in marked - https://github.com/advisories/GHSA-rrrm-qjm4-v8hf
Inefficient Regular Expression Complexity in marked - https://github.com/advisories/GHSA-5v2h-r2cx-5xgj
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/marked
docsify >=4.11.5
Depends on vulnerable versions of marked
node_modules/docsify
docsify-server-renderer >=4.12.0
Depends on vulnerable versions of docsify
node_modules/docsify-server-renderer
semver <5.7.2 || >=7.0.0 <7.5.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix`
node_modules/less/node_modules/semver
node_modules/normalize-package-data/node_modules/semver
node_modules/read-pkg/node_modules/semver
9 vulnerabilities (8 moderate, 1 high)
- got
- marked
- semver
got
This is due to docsify-cli
relying on an old version of update-notifier, which through a chain of transitive deps relies on an old version of got
-> https://github.com/advisories/GHSA-pfrx-2q88-qq97
Since docsify prefers an email to notify them of security issues, I've sent them an email, detailing what is causing it and how to fix it.
marked
This is due to docsify
relying on an old version of marked
. In their package.json on their develop branch, this has been updated to v4 already, yet the version of docsify on develop branch is 4.13.0 whereas on NPM registry there is 4.13.1. Unfortunately upon inspecting the published package, it still relies on v1 of marked. I can only conclude that something went wrong with publishing to NPM. I've included the details in the email to docsify team.
If it goes without a response we may need to publish a fork with the fix at some point, same for the got
issue
semver
Vulnerable for <5.7.2 || >=7.0.0 <7.5.2
Vulnerable installations caused by:
-
[email protected]
->[email protected]
commented on https://github.com/less/less.js/issues/3806 , will create a PR -
@changesets/[email protected]
->[email protected]
->[email protected]
->[email protected]
https://github.com/changesets/changesets/pull/1203 I've commented with a suggested fix that would unblock changesets cli to upgrade to latestmeow
So, just waiting for docsify, changesets and less to respond to my emails, comment on PR and PR, otherwise we can go with forks, but let's give it some time.
History
Vulnerabilities in the past that have been resolved