-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
As a SA, I don't want security vulnerabilities in the public UI #35
Comments
When I run
We need to know how critical these vulnerabilities are. I think we will go straight to the SA on this question. |
@tloubrieu-jpl is there a report we could briefly review to identify what these vulnerabilities are? some of them may be simple programming logic vulnerabilities we should address before going to the SAs? |
@jordanpadams @eddiesarevalo yes, maybe we should find a way to get which vulnerabilities come from our code and which come from dependencies. |
@jordanpadams @tloubrieu-jpl If you run the |
A majority of the high risk vulnerabilities come from lodash a react dependency which from what I can tell is not actually used in our built code but in the react build process. |
@eddiesarevalo are there newer versions of our dependencies we could upgrade to that potentially remove these vulnerabilities? |
@jordanpadams Yes that is probably the second thing I can try after the |
@jordanpadams @tloubrieu-jpl Using |
@eddiesarevalo per discussions today, feel free to create a PR for these updates, and we will deal with the other moderate vulnerabilities. |
-Updated all dependencies to the latest versions.
@jordanpadams @tloubrieu-jpl when I run npm install in my mac, I am seeing this numbers: 58 vulnerabilities (16 moderate, 40 high, 2 critical) after running npm audit fix --force. |
@gxtchen yes this is a good feedback. We fixed that in the past but it came back. You should also create a specific ticket for this issue, @eddiesarevalo should be albe to correct that. |
When we npm install the UI, we was some warning on vulnerabilities, see
$ npm install
Thank you for using core-js ( https://github.com/zloirock/core-js ) for polyfilling JavaScript standard library!
The project needs your help! Please consider supporting of core-js on Open Collective or Patreon:
Also, the author of core-js ( https://github.com/zloirock ) is looking for a good job -)
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.13 (node_modules/webpack-dev-server/node_modules/fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.13: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"})
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.13 (node_modules/watchpack-chokidar2/node_modules/fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.13: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"})
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.13 (node_modules/jest-haste-map/node_modules/fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.13: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"})
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@2.1.2 (node_modules/fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@2.1.2: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"})
added 1691 packages from 810 contributors and audited 1699 packages in 32.942s
76 packages are looking for funding
run
npm fund
for detailsfound 6 vulnerabilities (1 low, 2 moderate, 3 high)
run
npm audit fix
to fix them, ornpm audit
for detailsThe text was updated successfully, but these errors were encountered: