site-performance-tracker
site-performance-tracker copied to clipboard
xwp
Update package.json to newer, secure versions
@mehigh Here are my initial findings:
Regular expression denial of service (https://github.com/xwp/site-performance-tracker/security/dependabot/3):
- [email protected] already has an isolated dependency of [email protected] (not sure why this would be a conflict)
- [email protected] already has an isolated dependency of [email protected] (not sure why this would be a conflict)
- [email protected] is already installed as the latest available version
Uncontrolled Resource Consumption in markdown-it (https://github.com/xwp/site-performance-tracker/security/dependabot/1):
- @wordpress/[email protected] updated to @wordpress/[email protected] (latest) locally still contains the outdated [email protected]
Would should be my approach? I've seen ways to force dependency versions but that doesn't seem like a very stable way to handle these vulnerabilities.
@loganwisniewski please contribute a PR which updates all of the dependencies to the latest versions. If there are libraries still relying on a vulnerable version we can create a ticket in their repositories and contribute a fix there, as it happens with the wordpress/scripts.
We don't need to spend a lot of time on this, but at least do our due diligence in at least passing (or contributing too, as it is not too much of an ask for a npm dependency) the information and improving security in the tools we're using.
The result of npm audit fix should be enough. The only dependency we're actually using outside of dev-dependencies is:
https://github.com/xwp/site-performance-tracker/blob/6be53c6225f9c8954a5a04b4dcbeb77488a682bb/package.json#L65-L67
so we can ignore any dev-dependency related warnings.
