Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(deps): generate new yarn lock file to address yarn audit findings #1672

Merged
merged 1 commit into from
Nov 10, 2020

Conversation

alexforsyth
Copy link
Contributor

@alexforsyth alexforsyth commented Nov 10, 2020

Issue #, if available:
#1670

Running yarn audit gives

4460 vulnerabilities found - Packages audited: 2798
Severity: 4436 Low | 24 High
Done in 6.65s.

This fixes most of the vulns.

There is one high-sev issue remaining that stems from @commitlint/config-conventional

{
  "type": "auditAdvisory",
  "data": {
    "advisory": {
      "findings": [
        {
          "version": "3.0.0",
          "paths": [
            "@commitlint/config-conventional>conventional-changelog-conventionalcommits>compare-func>dot-prop"
          ]
        }
      ],

      "title": "Prototype Pollution",
      "module_name": "dot-prop",
      "cves": [
        "CVE-2020-8116"
      ],
      "vulnerable_versions": "<4.2.1 || >=5.0.0 <5.1.1",
      "patched_versions": ">=4.2.1 <5.0.0 || >=5.1.1",
      "overview": "Versions of `dot-prop` before 4.2.1 or 5.1.1 are vulnerable to prototype pollution. The function `set` does not restrict the modification of an Object's prototype, which may allow an attacker to add or modify an existing property that will exist on all objects.\n\n",
      "recommendation": "Upgrade to version 4.2.1, 5.1.1 or later.",
      "references": "- [GitHub advisory](https://github.com/advisories/GHSA-ff7x-qrg7-qggm)\n- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2020-8116)",
      "severity": "high",
      "url": "https://npmjs.com/advisories/1213"
    }
  }
}

This will be fixed in a subsequent PR

Description of changes:

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

Copy link
Member

@trivikr trivikr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM if CodeBuild CI succeeds

@alexforsyth alexforsyth changed the title fix: generated new yarn lock file fix(deps): generate new yarn lock file to address yarn audit findings Nov 10, 2020
@alexforsyth alexforsyth merged commit b2d9794 into aws:master Nov 10, 2020
@github-actions
Copy link

github-actions bot commented Jan 9, 2021

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jan 9, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants