Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

npm audit vulnerability with js-yaml #65

Closed
seanpat09 opened this issue Jun 6, 2019 · 3 comments
Closed

npm audit vulnerability with js-yaml #65

seanpat09 opened this issue Jun 6, 2019 · 3 comments

Comments

@seanpat09
Copy link

GitHub sent me some security alerts related to some of the dependencies in package-lock.json. Upgrading to 0.5.0 fixed most of those, but there are still some downstream dependencies related to js-yaml that I'm not sure how to resolve. Explicitly editing package-lock.json to use js-yaml >=3.13.0 fixes this, but to my understanding that might cause other issues

                       === npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Denial of Service                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ js-yaml                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.13.0                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @salesforce/lwc-jest [dev]                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @salesforce/lwc-jest > @lwc/compiler > @lwc/style-compiler > │
│               │ cssnano > postcss-svgo > svgo > js-yaml                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/788                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Denial of Service                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ js-yaml                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.13.0                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @salesforce/lwc-jest [dev]                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @salesforce/lwc-jest > @lwc/compiler >                       │
│               │ @lwc/template-compiler > @lwc/style-compiler > cssnano >     │
│               │ postcss-svgo > svgo > js-yaml                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/788                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Code Injection                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ js-yaml                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.13.1                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @salesforce/lwc-jest [dev]                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @salesforce/lwc-jest > @lwc/compiler > @lwc/style-compiler > │
│               │ cssnano > postcss-svgo > svgo > js-yaml                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/813                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Code Injection                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ js-yaml                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.13.1                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @salesforce/lwc-jest [dev]                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @salesforce/lwc-jest > @lwc/compiler >                       │
│               │ @lwc/template-compiler > @lwc/style-compiler > cssnano >     │
│               │ postcss-svgo > svgo > js-yaml                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/813                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
@trevor-bliss
Copy link
Contributor

Thanks for the Issue and sorry for the delayed response. Now that the prerelease branch is merged into master (#68), there are only the 4 violations as you pointed out.

The js-yaml version comes from the LWC compiler and since this package is bound to the LWC version that's currently released to production orgs, it's really up to the compiler to fix this issue and release a new version. The issue on LWC can be tracked here: salesforce/lwc#1331.

@GrantRWinter
Copy link

salesforce/lwc#1331 was addressed with a fix last week. Are there any plans to update this with the updated lwc dependency? Would be most appreciated if there were to silence those security alerts related to js-yaml.

@pmdartus
Copy link
Member

We will probably release the next version of LWC and update this package after the Xmas break. In the meantime, you can always run npm install with --slient flag to get rid of the noise.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@seanpat09 @trevor-bliss @pmdartus @GrantRWinter