Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Superset includes a number of vulnerable 3rd party JS packages #18879

Closed
jesseward opened this issue Feb 23, 2022 · 3 comments
Closed

Superset includes a number of vulnerable 3rd party JS packages #18879

jesseward opened this issue Feb 23, 2022 · 3 comments
Labels
#bug Bug report inactive Inactive for >= 30 days

Comments

@jesseward
Copy link

jesseward commented Feb 23, 2022
edited
Loading

NOTE: This request was originally reported to [email protected], though since redirected here due to the nature of the content (3rd party libraries)

Context
We're looking to utilize Superset for use in our corporate development infrastructure though were alerted by our security team, that the package currently depends upon a number of outdated and vulnerable 3rd party Javascript libraries

Details

Package Reference Current Version Required Version
trim CVE-2020-7753 master = trim-0.0.1 required >= trim-0.0.3
ajv CVE-2020-15366 (via node_modules/react-jsonschema-form) required >= ajv-6.12.3
urijs SNYK-JS-URIJS-1319806 master = urijs-1.19.6 required >= urijs-1.19.7
xss SNYK-JS-XSS-1584355 master = xss-1.0.8 required >=xss-1.0.10

Curious if all of the above are in the critical path of superset-frontend usage? Or only present during build, units or other testing.
@jesseward jesseward added the #bug Bug report label Feb 23, 2022
@villebro villebro mentioned this issue Feb 24, 2022
Merged
9 tasks
@villebro
Copy link
Member

I opened a PR to bring the urijs and xss packages up to date: #18922 . ajv appears to be used in storybook and build tools so shouldn't affect runtime, and trim should not affect Superset, as it's a ReDoS and we're currently only running JS on the frontend.

Feel free to hack away at the remaining ones if you have the time. One dep that would probably solve a lot of npm audit complaints is react-markdown. Updating that to the latest version (8.0.0, but even 7.1.2 would be nice if there's concern that a x.0.0 may be unstable) will require some refactoring, but would be very valuable work.

@stale
Copy link

stale bot commented Apr 29, 2022

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. For admin, please label this issue .pinned to prevent stale bot from closing the issue.

@stale stale bot added the inactive Inactive for >= 30 days label Apr 29, 2022
@rusackas
Copy link
Member

rusackas commented Jun 1, 2023

Looks like the threats have been addressed and that's probably why this has gone idle for so long. We're still open to any and all package bump PRs, and if you think I'm misconstruing anything and this needs re-opening, just say the word! Thank you!

@rusackas rusackas closed this as completed Jun 1, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
#bug Bug report inactive Inactive for >= 30 days
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jesseward @rusackas @villebro