vue-storefront icon indicating copy to clipboard operation
vue-storefront copied to clipboard

Published 20 hours ago verified publisher icon vuestorefront

Remediate High / Critical issues from npm security audit [Feature]:

Open jaydubb12 opened this issue 3 years ago • 0 comments
trafficstars

How the project can be improved?

Issue

Remediate High / Critical issues from npm security audit which can be run using the following command

Command to run dependency check

yarn npm audit --all -R --severity  critical
yarn npm audit --all -R --severity  high

Output

axios: 0.21.1 │ ├─ Issue: Incorrect Comparison in axios │ ├─ URL: https://github.com/advisories/GHSA-cph5-m8f7-6c5x │ ├─ Severity: high │ ├─ Vulnerable Versions: <=0.21.1 │ ├─ Patched Versions: >=0.21.2 │ ├─ Via: axios, @vue-storefront/core, @vue-storefront/boilerplate-api, @vue-storefront/boilerplate │ └─ Recommendation: Upgrade to version 0.21.2 or later │ ├─ glob-parent: 2.0.0 │ ├─ Issue: Regular expression denial of service │ ├─ URL: https://github.com/advisories/GHSA-ww39-953v-wcq6 │ ├─ Severity: high │ ├─ Vulnerable Versions: <5.1.2 │ ├─ Patched Versions: >=5.1.2 │ ├─ Via: chokidar, @vue-storefront/nuxt, @storefront-ui/vue, ts-loader, @nuxt/types, @vue-storefront/core, @vue-storefront/boilerplate-api, @vue-storefront/boilerplate, nuxt-purgecss, nuxt, ts-jest │ └─ Recommendation: Upgrade to version 5.1.2 or later │ └─ trim-newlines: 1.0.0 ├─ Issue: Regular Expression Denial of Service in trim-newlines ├─ URL: https://github.com/advisories/GHSA-7p7h-4mm5-852v ├─ Severity: high ├─ Vulnerable Versions: <3.0.1 ├─ Patched Versions: >=3.0.1 ├─ Via: @commitlint/cli, lerna └─ Recommendation: Upgrade to version 3.0.1 or later

What are the acceptance criteria?

  • Remediate the security vulnerabilities by updating the referenced dependencies directly, or via a resolutions config in the package.json

  • Regression test the code base to ensure that there are no regressions

Additional information

It is best practice to maintain the code base in a fashion that does not reflect any high / critical within a period of 24 hours - 1 week depending on the severity.

What version of Vue Storefront this feature can be implemented?

2.5.0+

Code of Conduct

  • [X] I agree to follow this project's Code of Conduct

jaydubb12 avatar Jan 11 '22 14:01 jaydubb12