Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: solve audit errors #610

Closed
wants to merge 1 commit into from
Closed

fix: solve audit errors #610

wants to merge 1 commit into from

Conversation

pinussilvestrus
Copy link
Contributor

  • executed npm audit fix

Which issue does this PR address?

Related to #609

Acceptance Criteria

  • Corresponds to the concept
  • Corresponds to the design

Definition of Done

@bpmn-io-tasks bpmn-io-tasks bot added the in progress Currently worked on label Nov 30, 2020
@pinussilvestrus
Copy link
Contributor Author

pinussilvestrus commented Nov 30, 2020
edited
Loading

Executing npm audit fix seems to not do the trick, since there are still issues open, also the ones mentioned in #609 (as far I can overview it). That's very likely due to the multi-package structure of this project.

Proposal:

  • Let's discuss a basic strategy regarding those security vulnerabilities issues coming from other libraries
  • Investigate which security issues we want to fix

fix: solve audit errors
68d5030 
* executed `npm audit fix`

Related to #609
@pinussilvestrus
Copy link
Contributor Author

I verified the two issues described in #609 with the sync CLI

Issues with no direct upgrade or patch:
  ✗ Prototype Pollution [Medium Severity][https://snyk.io/vuln/SNYK-JS-MINIMIST-559764] in minimist@1.2.0
    introduced by dmn-js@9.4.0 > dmn-js-shared@9.4.0 > inferno@5.0.6 > opencollective@1.0.3 > minimist@1.2.0 and 5 other path(s)
  This issue was fixed in versions: 0.2.1, 1.2.3
  ✗ Denial of Service [Medium Severity][https://snyk.io/vuln/SNYK-JS-NODEFETCH-674311] in node-fetch@1.6.3
    introduced by dmn-js@9.4.0 > dmn-js-shared@9.4.0 > inferno@5.0.6 > opencollective@1.0.3 > node-fetch@1.6.3 and 5 other path(s)
  This issue was fixed in versions: 2.6.1, 3.0.0-beta.9

Seems like these are coming from inferno, which we can't update currently.

@nikku
Copy link
Member

nikku commented Dec 1, 2020

That opencollective thing is an actual run-time dependency, via inferno: https://github.com/infernojs/inferno/blob/v5.0.6/packages/inferno/package.json#L54.

To fix it, we'd need to patch inferno to not use the broken (and outdated) library.

@nikku nikku mentioned this pull request Dec 1, 2020
Closed
@pinussilvestrus
Copy link
Contributor Author

Let's close this one to keep our board clean and do proper housekeeping later on (e.g. by also cleaning up the sub-packages).

@bpmn-io-tasks bpmn-io-tasks bot removed the in progress Currently worked on label Dec 2, 2020
@pinussilvestrus pinussilvestrus deleted the bump-deps branch December 2, 2020 09:23
@pinussilvestrus pinussilvestrus restored the bump-deps branch December 2, 2020 09:24
@nikku nikku deleted the bump-deps branch December 17, 2020 21:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@pinussilvestrus @nikku