Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update package.json to newer, secure versions #62

Open
mehigh opened this issue Mar 14, 2022 · 3 comments
Open

Update package.json to newer, secure versions #62

mehigh opened this issue Mar 14, 2022 · 3 comments
Labels
good first issue Good for newcomers

Comments

@mehigh
Copy link
Member

mehigh commented Mar 14, 2022

https://github.com/xwp/site-performance-tracker/security/dependabot

@mehigh mehigh added the good first issue Good for newcomers label Mar 14, 2022
@loganwisniewski
Copy link
Contributor

@mehigh Here are my initial findings:

Regular expression denial of service (https://github.com/xwp/site-performance-tracker/security/dependabot/3):

  • eslint@8.10.0 already has an isolated dependency of glob-parent@6.0.2 (not sure why this would be a conflict)
  • copy-webpack-plugin@10.2.4 already has an isolated dependency of glob-parent@6.0.2 (not sure why this would be a conflict)
  • gulp@4.0.2 is already installed as the latest available version

Uncontrolled Resource Consumption in markdown-it (https://github.com/xwp/site-performance-tracker/security/dependabot/1):

  • @wordpress/scripts@22.1.0 updated to @wordpress/scripts@22.2.1 (latest) locally still contains the outdated markdown-it@12.0.4

Would should be my approach? I've seen ways to force dependency versions but that doesn't seem like a very stable way to handle these vulnerabilities.

@mehigh
Copy link
Member Author

mehigh commented Mar 17, 2022

@loganwisniewski please contribute a PR which updates all of the dependencies to the latest versions.
If there are libraries still relying on a vulnerable version we can create a ticket in their repositories and contribute a fix there, as it happens with the wordpress/scripts.

We don't need to spend a lot of time on this, but at least do our due diligence in at least passing (or contributing too, as it is not too much of an ask for a npm dependency) the information and improving security in the tools we're using.

@kasparsd
Copy link
Contributor

The result of npm audit fix should be enough. The only dependency we're actually using outside of dev-dependencies is:

"dependencies": {
"web-vitals": "^2.1.4"
}

so we can ignore any dev-dependency related warnings.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
good first issue Good for newcomers
Projects
None yet
Development

No branches or pull requests

3 participants