Skip to content
This repository has been archived by the owner on Jun 10, 2024. It is now read-only.

npm audit dev vulnerabilities #344

Closed
davidradl opened this issue Jan 28, 2022 · 1 comment
Closed

npm audit dev vulnerabilities #344

davidradl opened this issue Jan 28, 2022 · 1 comment
Assignees
@davidradl

Comments

@davidradl
Copy link
Member

After issue the vulnerabilities are :
found 81 vulnerabilities (79 moderate, 2 high) in 2515 scanned packages
78 vulnerabilities require semver-major dependency updates.
3 vulnerabilities require manual review. See the full report for details.

most of the moderate ones will be addressed by upgrading postcss to >=8.2.13. This involves some manual migration.
Note that the 2 high vulnerabilities do not have patches.
@davidradl davidradl self-assigned this Jan 28, 2022
davidradl added a commit that referenced this issue Jan 31, 2022
@davidradl
Merge pull request #346 from davidradl/git344
0557047 
#344 document findings
@davidradl
Copy link
Member Author

davidradl commented Feb 1, 2022
edited
Loading

@planetf1 @lpalashevski @sarbull It seems like running npm audit displays a number of vulnerabilities. I fixed one in #342 - introducing forced resolutions of some dependent libraries.

These errors are associated with the create react application. All the errors relate to development builds - many of the errors are not patchable. I backed off #342 locally and moved react-scripts and postcss to the devDependencies section of package.json and run npm audit --prod and it is clean.

I propose that we

  1. Move react-scripts and postcss to the devDependencies section of the package.json
  2. Remove the forced dependancies I added in npm critical audit error #342
  3. Document that npm audit --prod be run (not npm audit)
  4. Only check for production vulnerabilities and amend the sonar scanning to check npm audit --prod scope. If this is not acceptable - we can try to avoid the issues as per npm critical audit error #342 - but many of the issues are not patchable. In fact this reported issue around postcss to >=8.2.13 has been raised against facebook in Postcss dependency of react-scripts needs an upgrade facebook/create-react-app#10945 - it has been closed with the comment
These warnings are false positives. There are no actual vulnerabilities affecting your app here.

To fix npm audit warnings, move react-scripts from dependencies to devDependencies in your package.json.

That will remove the false positive warnings.

I agree with the point in #11102 and will make this change so that new projects don't keep having these false positive warnings.

If you want to discuss this, please comment in #11102.

@davidradl davidradl changed the title upgrade postcss to >=8.2.13 to address npm audit npm audit dev vulnerabilities Feb 3, 2022
davidradl added a commit that referenced this issue Feb 3, 2022
@davidradl
Merge pull request #350 from davidradl/git341
0cb1d82 
#344 correct typos and remove mkdocs workflow
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@davidradl davidradl

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@davidradl