Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix security vulnerability in package-lock.json #28

Closed
acaproni opened this issue May 11, 2018 · 3 comments
Closed

Fix security vulnerability in package-lock.json #28

acaproni opened this issue May 11, 2018 · 3 comments

Comments

@acaproni
Copy link
Member

The security warning has been reported by github: https://github.com/IntegratedAlarmSystem-Group/ias-display/network/dependencies

@sfehlandt
Copy link
Contributor

sfehlandt commented Jun 1, 2018

We upgraded one of the affected packages: jquery.

For the other one we need to upgrade to Angular 6, which was scheduled to be done for Release 4.
Follow up on: #40

@sfehlandt sfehlandt added this to the Release 4 milestone Jun 7, 2018
@sfehlandt
Copy link
Contributor

Current status
Unfortunately there is not much we can do about this, since the affected libraries are dependencies of dependencies, and we cannot control which versions of their dependencies our dependencies use.

The affected libraries were fixed and their dependants were updates accordingly up to "request v2.83".

The problem is that there are still 2 packages in our dependency tree using versions of "request" prior to 2.83:

  • node-sass: We are using their latest version, 4.9.0, which uses request 2.79. Currently the team is working on v5 which will use request 2.85. This is not merged yet because it will loose compatibility with node < 4, and hence it will be done for the next non-backwards-compatible release (v5)

  • loggly: Here the dependecy is lower in the tree: [email protected] -> [email protected] -> [email protected]. The problem is that [email protected] is still using request 2.75. The project has not been updated in 2 years. So there is not much hope this will be fixed any time soon.

The bright side
These are only "devDependencies", which mean they are only used for either testing or building the application and not in runtime. Specifically, the code of these dependencies does not go in the final application, it will not be in the docker images, and thus it will not be an issue for the production environment.

Next Steps

Since this is out of our control we suggest to keep this issue open until the dependencies are updated.
This issue will be removed from the Release 4 milestone: https://github.com/IntegratedAlarmSystem-Group/ias-display/milestone/4

@sfehlandt
Copy link
Contributor

sfehlandt commented Jul 17, 2018

Update:
node-sass and log4js have been updated. We only need to wait for karma to update the version of log4js: karma-runner/karma#2994

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants