Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Detected vulnerable npm dependencies #6

Closed
sonodew opened this issue Feb 25, 2024 · 5 comments · Fixed by #21
Closed

Detected vulnerable npm dependencies #6

sonodew opened this issue Feb 25, 2024 · 5 comments · Fixed by #21

Comments

@sonodew
Copy link

sonodew commented Feb 25, 2024

Describe the bug
Current tensormap client project is not having the latest npm modules. This enforces a threat on security side as there are vulnerable npm packages as dependencies.

To Reproduce
Steps to reproduce the behavior:

Navigate to client project and run 'npm audit'

Expected behavior
Should list number of vulnerabilities along with the vulnerable packages.

Screenshots
image

Following are the identified vulnerable packages.
@adobe/css-tools <=4.3.1
Severity: moderate

@babel/traverse <7.23.2
Severity: critical

axios 0.8.1 - 0.27.2
Severity: moderate

follow-redirects <1.15.4
Severity: moderate

nth-check <2.0.1
Severity: high

postcss <8.4.31
Severity: moderate

semver 6.0.0 - 6.3.0 || 7.0.0 - 7.5.1
Severity: moderate

tough-cookie <4.1.3
Severity: moderate

word-wrap <1.2.4
Severity: moderate

Desktop (please complete the following information):

  • OS: Linux
  • Browser: Chrome
@sonodew
Copy link
Author

sonodew commented Feb 25, 2024

I am working on a fix for this issue.

@sonodew sonodew mentioned this issue Feb 25, 2024
Closed
12 tasks
@Teak-Rosewood Teak-Rosewood mentioned this issue Feb 27, 2024
Closed
12 tasks
@Teak-Rosewood
Copy link
Contributor

@sonodew hey, figured the main issue was react-scripts, so I have moved to Vite, there are no dependency issues anymore, look into my PR!

@sonodew
Copy link
Author

sonodew commented Feb 27, 2024
edited
Loading

Hi @Teak-Rosewood, there is no issue with react-script. We can move that into dev dependencies and check the audit logs. react-scripts does have a false alarm on certain npm packages:ref -> git stackoverflow.

On the other hand, moving from react-script to vite needs full test suit on UI side to verify the UI will be rendered without any issue. Current code base does not have such test suit and I believe in that case using vite is not the right solution.

@Teak-Rosewood
Copy link
Contributor

@sonodew create-react-app has since been deprecated, and considering the tests that have been currently made are quite basic, and a few dont work, I think it would be ideal to switch to vite or next, i am currently in the process of writing tests in vite, will be pushing some soon!

@sonodew
Copy link
Author

sonodew commented Feb 27, 2024

@Teak-Rosewood agree. In that case the PR should come along with those test cases since introducing vite or nextjs (if we do not rely on SSR we should go with vite) is a feature and not a solution for a existing issue in my opinion.

@Teak-Rosewood Teak-Rosewood mentioned this issue Mar 8, 2024
Merged
12 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@sonodew @Teak-Rosewood