You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
After the security fixes on NPM dependencies made by #155 and #156, there still two remaining issues on lodash (< 4.17.13) and js-yaml (< 3.13.1). Those vulnerabilities are in the project because they're included in other dependencies which can't be upgraded.
This issue is here to keep track and make sure that those vulnerabilities will be patched when new versions of dependencies will be available.
inject-loader : Vulnerabilities present because this dependency still use babel v6. Babel has fixed the vulnerability in v7, but this is still not integrated in inject-loader: Add support for Babel 7 plasticine/inject-loader#62
Eslint has fixed this vulnerability in version 6, but can't be upgraded in ARA due to the lack of support of it in the dependency eslint-vue-plugin : ESLint 6 compatibility vuejs/eslint-plugin-vue#920
To Reproduce
Go in the client/ folder
Do a npm ls lodash and npm ls js-yaml.
Expected behavior
All the vulnerabilities are patched.
Screenshots
Environment
All
The text was updated successfully, but these errors were encountered:
Describe the bug
After the security fixes on NPM dependencies made by #155 and #156, there still two remaining issues on
lodash
(< 4.17.13) andjs-yaml
(< 3.13.1). Those vulnerabilities are in the project because they're included in other dependencies which can't be upgraded.This issue is here to keep track and make sure that those vulnerabilities will be patched when new versions of dependencies will be available.
Here is some infos on those dependencies :
html-webpack-plugin
: It seems that this vulnerabilities is fixed & merged in master. Will be released in the next version ? (update lodash dependency for prototype polution vulnerability jantimon/html-webpack-plugin#1270)inject-loader
: Vulnerabilities present because this dependency still use babel v6. Babel has fixed the vulnerability in v7, but this is still not integrated ininject-loader
: Add support for Babel 7 plasticine/inject-loader#62karma
has fixed the lodash vulnerability but it still uses another one which import it (log4js
). karma uses a vulnerable version of lodash karma-runner/karma#3349eslint-vue-plugin
: ESLint 6 compatibility vuejs/eslint-plugin-vue#920To Reproduce
client/
foldernpm ls lodash
andnpm ls js-yaml
.Expected behavior
All the vulnerabilities are patched.
Screenshots
Environment
All
The text was updated successfully, but these errors were encountered: