Fail CI if we have packages with vulnerabilities

[baradm100]

We should fail CI if we have packages with vulnerabilities.

Severity Level

For now we'll fail for all the severity levels

[baradm100]

Found Vulnerabilities!

Summery

Severity	# of finds
Info	0
Low	0
Moderate	0
High	6
Critical	0
Total	6

Can Be Updated

gatsby-cli (2.12.87)

Paths

• gatsby>gatsby-cli>update-notifier>configstore>dot-prop [dev]

Advisories

Prototype Pollution (High)

Vulnerable Versions: <5.1.1

Patched Versions: >=5.1.1

More Info: https://npmjs.com/advisories/1213

Overview

Versions of dot-prop before 5.1.1 are vulnerable to prototype pollution. The function set does not restrict the modification of an Object's prototype, which may allow an attacker to add or modify an existing property that will exist on all objects.

elliptic (6.5.3)

Paths

• gatsby>webpack>node-libs-browser>crypto-browserify>browserify-sign>elliptic [dev]
• gatsby>webpack>node-libs-browser>crypto-browserify>create-ecdh>elliptic [dev]

Advisories

Signature Malleability (High)

Vulnerable Versions: <6.5.3

Patched Versions: >=6.5.3

More Info: https://npmjs.com/advisories/1547

Overview

The Elliptic package before version 6.5.3 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.

terser-webpack-plugin (1.4.5)

Paths

• gatsby>terser-webpack-plugin>serialize-javascript [dev]
• gatsby>webpack>terser-webpack-plugin>serialize-javascript [dev]

Advisories

Remote Code Execution (High)

Vulnerable Versions: <3.1.0

Patched Versions: >=3.1.0

More Info: https://npmjs.com/advisories/1548

Overview

serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".

An object such as {"foo": /1"/, "bar": "a\"@__R-<UID>-0__@"} was serialized as {"foo": /1"/, "bar": "a\/1"/}, which allows an attacker to escape the bar key. This requires the attacker to control the values of both foo and bar and guess the value of . The UID has a keyspace of approximately 4 billion making it a realistic network attack.

The following proof-of-concept calls console.log() when the running eval():
eval('('+ serialize({"foo": /1" + console.log(1)/i, "bar": '"@__R-<UID>-0__@'}) + ')');

Manual Review

dot-prop

Paths

• gatsby>devcert>configstore>dot-prop [dev]

Advisories

Prototype Pollution (High)

Vulnerable Versions: <5.1.1

Patched Versions: >=5.1.1

More Info: https://npmjs.com/advisories/1213

Overview

Versions of dot-prop before 5.1.1 are vulnerable to prototype pollution. The function set does not restrict the modification of an Object's prototype, which may allow an attacker to add or modify an existing property that will exist on all objects.