Ops: SourceClear Security Validation - dependency lib. vulnerability - CHOWNR

[ivijan]

Detailed description

https://sap.sourceclear.io/

SourceClear scanning for vulnerability issues reports issue with transitive dependency library chownr that is dependency of npm that is defined in package.json under "engines" node.

Additional information

"engines": { "npm": ">=9.5.0 <10.0.0" }

Vulnerability issues: Time Of Check To Time Of Use (TOCTOU)

[saad-mo]

@ivijan we changed npm as an engine versus a direct dependency to the project as suggested in #478. We also thought it will help resolve #591, but it didn't help much.

Do you have a suggestion on how we can address all these three issues? (#478, #591 and #648)

[ivijan]

Hello @saadmhybris,
It is great that the topic of npm vulnerabilities is already known and processed.
I will also investigate the topic on the side, and if I find something, I will come back to you.

[saad-mo]

This issue has been addressed.