Contrib.social

Security dependencies js

Open on Drupal.org →
Created on 12 September 2023, about 1 year ago
Updated 23 July 2024, 4 months ago

Problem/Motivation

With trivy we found critical security

Steps to reproduce

Use trivy in module

Proposed resolution

Update js dependencies

🐛 Bug report
Status

Needs review

Version

2.2

Component

Code

Created by

🇫🇷France Anwoon

Live updates comments and jobs are added and updated live.
  • Security

    It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

Sign in to follow issues

Merge Requests

Comments & Activities

  • Issue created by @Anwoon
  • Status changed to Needs review about 1 year ago
  • Comment about 1 year ago
    🇫🇷France Anwoon
  • Comment about 1 year ago
    🇫🇷France Anwoon

    Just fix name of patch

  • Status changed to Needs work 7 months ago
  • Comment 7 months ago
    🇮🇳India rajeevgole

    I tested the #3 patch. There are vulnerabilities(Critical, Medium) left in the below libraries after implementing the patch.

    1. @babel/traverse
    2. PostCSS
    3. node-tar
  • Comment 6 months ago
    🇮🇳India vipul tulse

    Added patch for upgrade latest packages and build

  • Comment 6 months ago
    🇮🇳India vipul tulse

    Updated patch to resolve @babel/traverse crtical issues

  • Comment 6 months ago
    🇮🇳India vipul tulse

    Latest patch to resolve the
    ------------------------------
    json5 Prototype Pollution
    VULNERABILITY
    CWE-1321OPEN THIS LINK IN A NEW TAB
    CVE-2022-46175OPEN THIS LINK IN A NEW TAB
    CVSS 6.4OPEN THIS LINK IN A NEW TAB MEDIUM
    SNYK-JS-JSON5-3182856
    ------------------------------
    loader-utils Prototype Pollution
    VULNERABILITY
    CWE-1321OPEN THIS LINK IN A NEW TAB
    CVE-2022-37601OPEN THIS LINK IN A NEW TAB
    CVSS 7.5OPEN THIS LINK IN A NEW TAB HIGH
    SNYK-JS-LOADERUTILS-3043105
    ------------------------------
    loader-utils Regular Expression Denial of Service (ReDoS)
    VULNERABILITY
    CWE-1333OPEN THIS LINK IN A NEW TAB
    CVE-2022-37599OPEN THIS LINK IN A NEW TAB
    CVSS 5.3OPEN THIS LINK IN A NEW TAB MEDIUM
    SNYK-JS-LOADERUTILS-3042992
    ------------------------------

    loader-utils Regular Expression Denial of Service (ReDoS)
    VULNERABILITY
    CWE-1333OPEN THIS LINK IN A NEW TAB
    CVE-2022-37603OPEN THIS LINK IN A NEW TAB
    CVSS 5.3OPEN THIS LINK IN A NEW TAB MEDIUM
    SNYK-JS-LOADERUTILS-3105943
    ------------------------------

  • Comment 6 months ago
    🇮🇳India vipul tulse

    Please ignore the above patch, which has issues.

    Updated packages and yarn run build
    Tested after upgrade build looks good

    Added below override dependencies.
    "resolutions": {
    "raw-loader/loader-utils": "2.0.4",
    "raw-loader/json5": "2.2.2",
    "@ckeditor/ckeditor5-dev-utils/del/globby/glob": "10.3.16",
    "@ckeditor/ckeditor5-dev-utils/del/rimraf/glob": "10.3.16",
    "@ckeditor/ckeditor5-dev-utils/@ckeditor/ckeditor5-dev-translations/rimraf/glob": "10.3.16",
    "@ckeditor/ckeditor5-dev-utils/terser-webpack-plugin/serialize-javascript": "6.0.2",
    "@ckeditor/ckeditor5-dev-utils/shelljs/glob": "10.3.16",
    "@ckeditor/ckeditor5-dev-utils/terser-webpack-plugin/cacache/glob": "10.3.16"
    }

  • Comment 4 months ago
    🇮🇳India dev16.addweb

    silvi.addweb made their first commit to this issue’s fork.

  • Merge request !23Security dependencies js → (Open) created by Unnamed author
  • Status changed to Needs review 4 months ago
  • Comment 4 months ago
    🇮🇳India dev16.addweb
contrib.social Blog FAQ Discussions
Production build 0.71.5 2024