patternfly-3
patternfly-3 copied to clipboard
Published
20 hours ago •
patternfly
patternfly
Audit vulnerabilities in transitive package of `patternfly-react`
Describe the issue. What is the expected and unexpected behavior?
- Currently while using
patternfly-react's latest version i.e4.40.3on excuting thenpm auditit gives vulnerability in transitive package ofpatternfly-react
"dependencies": {
"@patternfly/react-charts": "^5.0.13",
"@patternfly/react-core": "4.40.3",
"@patternfly/react-styles": "^3.5.27",
"@patternfly/react-topology": "^2.8.65",
"@types/node": "12.13.0",
"@types/react": "16.9.7",
"patternfly-react": "^2.39.5",
"react": "^16.10.2",
},
- Here's the audit report for
patternfly-react
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ dot-prop │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=5.1.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ patternfly-react │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ patternfly-react > react-ellipsis-with-tooltip > │
│ │ semantic-release > @semantic-release/npm > npm > libnpx > │
│ │ update-notifier > configstore > dot-prop │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1213 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ dot-prop │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=5.1.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ patternfly-react │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ patternfly-react > react-ellipsis-with-tooltip > │
│ │ semantic-release > @semantic-release/npm > npm > │
│ │ update-notifier > configstore > dot-prop │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1213 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Cross-Site Scripting │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ bootstrap-select │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=1.13.6 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ patternfly-react │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ patternfly-react > patternfly > bootstrap-select │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1522 │
└───────────────┴──────────────────────────────────────────────────────────────┘
Please provide the steps to reproduce. Feel free to link CodeSandbox or another tool.
Is this a bug or enhancement? If this issue is a bug, is this issue blocking you or is there a work-around?
What is your product and what release version are you targeting?
The only relevant vulnerability is in patternfly-react > patternfly > bootstrap-select. Moving to the patternfly-3 repo.
