During our scan, Security team has observed that serialize-javascript/6.0.0 has been included as dependency in the yarn.lock file but it has a known vulnerability , this needs version bump in the yarn.lock file to fix known vulnerability.
Check yarn.lock file on 11.x head repo
Bump serialize-javascript to version 6.0.2 or higher in yarn.lock
Bump serialize-javascript to version.
Active
11.0 🔥
asset library system
It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.
@bhanu951 cleared this issue with me before posting.
While we are here we should yarn audit all dependencies on all active branches as a cursory check shows that other transient JS dependencies have known vulnerabilities too.
@longwave created new issue to add yarn audit to CICD pipeline.