Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[bugi] Package Security Audit #88

Merged
merged 1 commit into from
Apr 10, 2024
Merged

[bugi] Package Security Audit #88

merged 1 commit into from
Apr 10, 2024

Conversation

dylannguyen11195
Copy link
Contributor

@dylannguyen11195 dylannguyen11195 commented Apr 5, 2024
edited
Loading

Ticket: https://mapbox.atlassian.net/browse/MAPSAPI-2218

Summary of changes:

npm audit fix to update several package vulnerabilities:

  • hosted-git-info
  • json5
  • lodash
  • minimist
  • path-parse
  • semver
  • trim-newlines

Before: Current vulnerabilities in main branch:

# npm audit report

@babel/traverse  <7.23.2
Severity: critical
Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code - https://github.com/advisories/GHSA-67hx-6x53-jw92
fix available via `npm audit fix`
node_modules/@babel/traverse
node_modules/tap/node_modules/@babel/traverse

hosted-git-info  <2.8.9
Severity: moderate
Regular Expression Denial of Service in hosted-git-info - https://github.com/advisories/GHSA-43f8-2h32-f4cj
fix available via `npm audit fix`
node_modules/hosted-git-info

json5  2.0.0 - 2.2.1
Severity: high
Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h
fix available via `npm audit fix`
node_modules/json5

lodash  <=4.17.20
Severity: high
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-29mw-wpgm-hmr9
Command Injection in lodash - https://github.com/advisories/GHSA-35jh-r3h4-6jhm
fix available via `npm audit fix`
node_modules/@babel/core/node_modules/lodash
node_modules/@babel/helper-module-transforms/node_modules/lodash
node_modules/@babel/traverse/node_modules/lodash
node_modules/@babel/types/node_modules/lodash

minimist  1.0.0 - 1.2.5
Severity: critical
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
fix available via `npm audit fix`
node_modules/minimist

path-parse  <1.0.7
Severity: moderate
Regular Expression Denial of Service in path-parse - https://github.com/advisories/GHSA-hj48-42vr-x3v9
fix available via `npm audit fix`
node_modules/path-parse

react-devtools-core  <4.28.4
Severity: moderate
React Developer Tools extension Improper Authorization vulnerability - https://github.com/advisories/GHSA-rxrc-rgv4-jpvx
fix available via `npm audit fix`
node_modules/tap/node_modules/react-devtools-core

semver  <5.7.2 || >=6.0.0 <6.3.1
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix`
node_modules/istanbul-lib-instrument/node_modules/semver
node_modules/make-dir/node_modules/semver
node_modules/semver

trim-newlines  <3.0.1
Severity: high
Uncontrolled Resource Consumption in trim-newlines - https://github.com/advisories/GHSA-7p7h-4mm5-852v
fix available via `npm audit fix`
node_modules/trim-newlines

9 vulnerabilities (4 moderate, 3 high, 2 critical)

After:

# npm audit report

@babel/traverse  <7.23.2
Severity: critical
Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code - https://github.com/advisories/GHSA-67hx-6x53-jw92
fix available via `npm audit fix`
node_modules/tap/node_modules/@babel/traverse

react-devtools-core  <4.28.4
Severity: moderate
React Developer Tools extension Improper Authorization vulnerability - https://github.com/advisories/GHSA-rxrc-rgv4-jpvx
fix available via `npm audit fix`
node_modules/tap/node_modules/react-devtools-core

2 vulnerabilities (1 moderate, 1 critical)

@dylannguyen11195 dylannguyen11195 changed the title [bugi] Package Security audit [bugi] Package Security Audit Apr 5, 2024
gilsousampbx
gilsousampbx approved these changes Apr 5, 2024
View reviewed changes
Copy link

@gilsousampbx gilsousampbx left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@dylannguyen11195
Copy link
Contributor Author

@tristen just to be safe, can I get your review on this as well?

tristen
tristen approved these changes Apr 8, 2024
View reviewed changes
Copy link
Member

@tristen tristen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@dylannguyen11195 dylannguyen11195 merged commit 5e797bf into master Apr 10, 2024
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tristen tristen tristen approved these changes

@gilsousampbx gilsousampbx gilsousampbx approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@dylannguyen11195 @tristen @gilsousampbx