As a SA, I don't want security vulnerabilities in the public UI

[tloubrieu-jpl]

When we npm install the UI, we was some warning on vulnerabilities, see

$ npm install

core-js@2.6.11 postinstall /data/home/pds4/pds-doi-ui/node_modules/babel-runtime/node_modules/core-js
node -e "try{require('./postinstall')}catch(e){}"

Thank you for using core-js ( https://github.com/zloirock/core-js ) for polyfilling JavaScript standard library!

The project needs your help! Please consider supporting of core-js on Open Collective or Patreon:

https://opencollective.com/core-js
https://www.patreon.com/zloirock

Also, the author of core-js ( https://github.com/zloirock ) is looking for a good job -)

core-js@3.6.5 postinstall /data/home/pds4/pds-doi-ui/node_modules/core-js
node -e "try{require('./postinstall')}catch(e){}"

core-js-pure@3.6.5 postinstall /data/home/pds4/pds-doi-ui/node_modules/core-js-pure
node -e "try{require('./postinstall')}catch(e){}"

npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.13 (node_modules/webpack-dev-server/node_modules/fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.13: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"})
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.13 (node_modules/watchpack-chokidar2/node_modules/fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.13: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"})
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.13 (node_modules/jest-haste-map/node_modules/fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.13: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"})
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@2.1.2 (node_modules/fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@2.1.2: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"})

added 1691 packages from 810 contributors and audited 1699 packages in 32.942s

76 packages are looking for funding
run npm fund for details

found 6 vulnerabilities (1 low, 2 moderate, 3 high)
run npm audit fix to fix them, or npm audit for details

[tloubrieu-jpl]

When I run

% npm install
npm WARN tsutils@3.17.1 requires a peer of typescript@>=2.8.0 || >= 3.2.0-dev || >= 3.3.0-dev || >= 3.4.0-dev || >= 3.5.0-dev || >= 3.6.0-dev || >= 3.6.0-beta || >= 3.7.0-dev || >= 3.7.0-beta but none is installed. You must install peer dependencies yourself.
npm WARN pds-doi-ui@0.1.0-dev No repository field.
npm WARN pds-doi-ui@0.1.0-dev No license field.

audited 1699 packages in 6.738s

76 packages are looking for funding
  run `npm fund` for details

found 4601 vulnerabilities (1 low, 163 moderate, 4437 high)

We need to know how critical these vulnerabilities are.

I think we will go straight to the SA on this question.

[jordanpadams]

@tloubrieu-jpl is there a report we could briefly review to identify what these vulnerabilities are? some of them may be simple programming logic vulnerabilities we should address before going to the SAs?

[tloubrieu-jpl]

@jordanpadams @eddiesarevalo yes, maybe we should find a way to get which vulnerabilities come from our code and which come from dependencies.

[eddiesarevalo]

@jordanpadams @tloubrieu-jpl If you run the npm audit command you get the full list detailing the vulnerabilities. These all come from the dependencies not from our code. We can try to do the npm audit fix command but not all of them will be fixed There are at least 80 that require manual attention but might prove difficult to fix since it is from a third party. I wanted to post the full list but the text is report is long. Let me know if I should try sending it to you through email. If these are too serious to allow to deploy then we can consider using alternate less vulnerable technologies.

[eddiesarevalo]

A majority of the high risk vulnerabilities come from lodash a react dependency which from what I can tell is not actually used in our built code but in the react build process.

[jordanpadams]

@eddiesarevalo are there newer versions of our dependencies we could upgrade to that potentially remove these vulnerabilities?

[eddiesarevalo]

@jordanpadams Yes that is probably the second thing I can try after the npm audit fix

[eddiesarevalo]

@jordanpadams @tloubrieu-jpl Using npm audit fix and npm audit fix --force got rid of over 4000 vulnerabilities leaving all but 80. Updating all the dependency versions gives the same result. The final 80 need to be manually updated but they are all moderate. There are no high vulnerabilities remaining.

[jordanpadams]

@eddiesarevalo per discussions today, feel free to create a PR for these updates, and we will deal with the other moderate vulnerabilities.

[gxtchen]

@jordanpadams @tloubrieu-jpl when I run npm install in my mac, I am seeing this numbers: 58 vulnerabilities (16 moderate, 40 high, 2 critical) after running npm audit fix --force.
What can I show in testing report?

[tloubrieu-jpl]

@gxtchen yes this is a good feedback. We fixed that in the past but it came back. You should also create a specific ticket for this issue, @eddiesarevalo should be albe to correct that.