Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(platform): npm audit security fix #1836

Merged
merged 1 commit into from
May 5, 2024
Merged

fix(platform): npm audit security fix #1836

merged 1 commit into from
May 5, 2024

Conversation

pshenmic
Copy link
Collaborator

@pshenmic pshenmic commented May 5, 2024

Issue being fixed or feature implemented

CI fails in PRs with the following message:

Run yarn npm audit --environment production --all --recursive
Corepack is about to download https://repo.yarnpkg.com/[4](https://github.com/dashpay/platform/actions/runs/8957880333/job/24602040964?pr=1685#step:4:5).0.2/packages/yarnpkg-cli/bin/yarn.js.
└─ ejs
   ├─ ID: 1097210
   ├─ Issue: ejs lacks certain pollution protection
   ├─ URL: https://github.com/advisories/GHSA-ghr[5](https://github.com/dashpay/platform/actions/runs/8957880333/job/24602040964?pr=1685#step:4:6)-ch3p-vcr[6](https://github.com/dashpay/platform/actions/runs/8957880333/job/24602040964?pr=1685#step:4:7)
   ├─ Severity: moderate
   ├─ Vulnerable Versions: <3.1.10
   │ 
   ├─ Tree Versions
   │  └─ 3.1.[8](https://github.com/dashpay/platform/actions/runs/8957880333/job/24602040964?pr=1685#step:4:9)
   │ 
   └─ Dependents
      └─ @oclif/core@npm:3.[10](https://github.com/dashpay/platform/actions/runs/8957880333/job/24602040964?pr=1685#step:4:11).8
Error: Process completed with exit code 1.

This is due ejs package is fixed at vulnerable version (3.1.7) in the package.json.

What was done?

  • Removed ejs resolution (it is not needed anymore)

How Has This Been Tested?

Locally

Breaking Changes

No

Checklist:

  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have added or updated relevant unit/integration/functional/e2e tests
  • I have added "!" to the title and described breaking changes in the corresponding section if my code contains any
  • I have made corresponding changes to the documentation if needed

For repository code-owners and collaborators only

  • I have assigned this pull request to a milestone

@pshenmic pshenmic self-assigned this May 5, 2024
@pshenmic pshenmic changed the title fix(package): npm audit security fix fix(platform): npm audit security fix May 5, 2024
@pshenmic pshenmic merged commit 5612b31 into v1.0-dev May 5, 2024
17 of 19 checks passed
@pshenmic pshenmic deleted the fix/npm-audit branch May 5, 2024 15:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants