Skip to content
This repository has been archived by the owner on Jun 10, 2024. It is now read-only.

#342 resolve the critcal npm audit vulnerability #343

Merged
merged 4 commits into from
Jan 31, 2022
+42 −1
Merged

#342 resolve the critcal npm audit vulnerability #343

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
031da92
#342 resolve the critcal mpm audit vulnerability
davidradl Jan 28, 2022
2e26459
git342 amend package to remove critical npm audit errors
davidradl Jan 31, 2022
eeaf7c2
git342 force resolutions preinstall
davidradl Jan 31, 2022
ee2e5dc
git342 force resolutions preinstall
davidradl Jan 31, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 9 additions & 1 deletion cra-client/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,12 @@
"version": "3.5.0-rc.0",
"description": "Egeria React User Interface client component.",
"private": true,
"resolutions": {
"immer": "9.0.7",
"nth-check": "2.0.1",
"glob-parent": "6.0.1",
"node-forge": "1.0.0"
},
"dependencies": {
"@babel/core": "^7.16.5",
"@carbon/elements": "^10.49.0",
Expand All @@ -20,6 +26,7 @@
"date-fns": "^2.27.0",
"fibers": "^5.0.0",
"joi": "^17.5.0",
"npm-force-resolutions": "0.0.10",
"postcss": "^8.4.5",
"prop-types": "^15.7.2",
"react": "^17.0.2",
Expand All @@ -38,7 +45,8 @@
"start": "react-scripts start",
"build": "react-scripts build",
"test": "react-scripts test --env=jsdom",
"eject": "react-scripts eject"
"eject": "react-scripts eject",
"preinstall": "npx force-resolutions"
},
"contributors": [
{
Expand Down
33 changes: 33 additions & 0 deletions docs/security-fixes.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
# Security Fixes

The build solar scan runs and spots vulnerabilities.
Also locally you can run npm audit to list vulnerabilities.
Over time more and more vultnerabilities will be flagged by these mechanisms. This file is to keep track of the outstanding security fixed and how they are bing addressed.

npm audit fix should run regularly. This should fix any components that can be upgraded with a non-breaking change.

As of 30/01/22

* issue [https://github.com/odpi/egeria-react-ui/issues/342](https://github.com/odpi/egeria-react-ui/issues/342) was raised to address a critical issue in Immer.

```npm audit gives
found 94 vulnerabilities (2 low, 87 moderate, 4 high, 1 critical) in 2485 scanned packages
91 vulnerabilities require semver-major dependency updates.
3 vulnerabilities require manual review. See the full report for details.```



There is a lot of discussion about this not actually effecting runtime. The fix that was recommended was to force the level of Immer. The fix forthis introduced some force resolutions including that of Immer. This brings the oustanding vulnerabilities to :

```found 86 vulnerabilities (84 moderate, 2 high)```