Merge pull request #343 from davidradl/git342

#342 resolve the critcal npm audit vulnerability
odpi · Jan 31, 2022 · 7990c40 · 7990c40
2 parents b253424 + ee2e5dc
commit 7990c40
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 1 deletion.
diff --git a/cra-client/package.json b/cra-client/package.json
@@ -3,6 +3,12 @@
   "version": "3.5.0-rc.0",
   "description": "Egeria React User Interface client component.",
   "private": true,
+  "resolutions": {
+    "immer": "9.0.7",
+    "nth-check": "2.0.1",
+    "glob-parent": "6.0.1",
+    "node-forge": "1.0.0"
+  },
   "dependencies": {
     "@babel/core": "^7.16.5",
     "@carbon/elements": "^10.49.0",
@@ -20,6 +26,7 @@
     "date-fns": "^2.27.0",
     "fibers": "^5.0.0",
     "joi": "^17.5.0",
+    "npm-force-resolutions": "0.0.10",
     "postcss": "^8.4.5",
     "prop-types": "^15.7.2",
     "react": "^17.0.2",
@@ -38,7 +45,8 @@
     "start": "react-scripts start",
     "build": "react-scripts build",
     "test": "react-scripts test --env=jsdom",
-    "eject": "react-scripts eject"
+    "eject": "react-scripts eject",
+    "preinstall": "npx force-resolutions"
   },
   "contributors": [
     {

diff --git a/docs/security-fixes.md b/docs/security-fixes.md
@@ -0,0 +1,33 @@
+# Security Fixes
+
+The build solar scan runs and spots vulnerabilities.
+Also locally you can run npm audit to list vulnerabilities. 
+Over time more and more vultnerabilities will be flagged by these mechanisms. This file is to keep track of the outstanding security fixed and how they are bing addressed.
+
+npm audit fix should run regularly. This should fix any components that can be upgraded with a non-breaking change. 
+
+As of 30/01/22 
+
+* issue [https://github.com/odpi/egeria-react-ui/issues/342](https://github.com/odpi/egeria-react-ui/issues/342) was raised to address a critical issue in Immer. 
+
+```npm audit gives
+found 94 vulnerabilities (2 low, 87 moderate, 4 high, 1 critical) in 2485 scanned packages
+  91 vulnerabilities require semver-major dependency updates.
+  3 vulnerabilities require manual review. See the full report for details.```
+
+
+
+There is a lot of discussion about this not actually effecting runtime. The fix that was recommended was to force the level of Immer. The fix forthis introduced some force resolutions including that of Immer. This brings the oustanding vulnerabilities to :
+
+```found 86 vulnerabilities (84 moderate, 2 high)```
+
+
+
+
+
+
+
+
+
+
+