Update packages to avoid introducing vulnerablities #1328
Comments
|
Thanks |
|
@xiangshouding Thanks for your understanding and help. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi @Xiangshouding @2betop,I’d like to report several vulnerabilities
Issue
15 vulnerabilities (9 high, 4 medium and 2 low severity) are introduced in fis3.There are some examples:
1.Vulnerability npmjs-advisories-1464 (high severity) is detected in package lodash(versions:<4.17.21):https://snyk.io/vuln/SNYK-JS-LODASHTEMPLATE-1088054
2.Vulnerability CVE-2020-8203 (medium severity) is detected in package lodash(versions:<4.17.16):https://snyk.io/vuln/SNYK-JS-LODASH-567746
3.Vulnerability CVE-2016-10540 (high severity) is detected in package minimatch(versions:<3.0.2):https://snyk.io/vuln/npm:minimatch:20160620
4.Vulnerability npmjs-advisories-1179 (low severity) is detected in package minimist(versions:>=0.0.0 <0.2.1,>=1.0.0 <1.2.3):https://www.npmjs.com/advisories/1179
The above vulnerable packages are referenced by fis3 via:
In fis3@3.4.* :
fis3@3.4.45 ➔ lodash@4.17.5fis3@3.4.45 ➔ glob@5.0.3 ➔ minimatch@2.0.10fis3@3.4.45 ➔ minimist@1.1.1In fis3@3.2.* :
fis3@3.2.13 ➔ glob@5.0.3 ➔ minimatch@2.0.10fis3@3.2.13 ➔ minimist@1.1.1In fis@3.3.* :
In a similar way to 3.2.*Solution
Since fis3@3.4.* is transitively referenced by 123 downstream projects (e.g., stormrage 2.8.0 (latest version),fis3-client 1.6.352 (latest version), fep-cli 1.0.0 (latest version), atmjs 0.7.7 (latest version), pcat 2.9.2(latest version)),
fis3@3.2.* is referenced by 2 downstream projects (fis273 1.2.3 (latest version), xiangha-fe 1.0.5 (latest version)),
fis3@3.3.* is referenced by 2 downstream projects (fis-web-config 0.0.3 (latest version), feat-l 0.0.3 (latest version)),
If fis3 removes the vulnerabilities from the above versions, then its fixed versions can help downstream users decrease their pain.
Could you help update packages in these versions?
Fixing suggestions
(1)In fis3@3.4.*, you can kindly try to perform the following upgrades (not crossing their major versions):
lodash 4.17.5 ➔ 4.17.21;Note:
lodash@4.17.21,(>=4.17.21) has fixed the vulnerabilities(e.g.,CVE-2021-23337,CVE-2020-8203,CVE-2018-16487)
glob 5.0.3 ➔ 5.0.15;Note:
_glob@5.0.15 directly depends on minimatch@3.0.4(a vulnerability CVE-2016-10540 and SNYK-JS-MINIMATCH-1019388 patched version) _
minimist 1.1.1 ➔ 1.2.3;Note:
minimist@1.2.3 has fixed the vulnerabilities CVE-2020-7598 and npmjs-advisories-1179
(2)In fis3@3.2.*, you can kindly try to perform the following upgrades (not crossing their major versions):
glob 5.0.3 ➔ 5.0.15;Note:
_glob@5.0.15 directly depends on minimatch@3.0.4(a vulnerability CVE-2016-10540 and SNYK-JS-MINIMATCH-1019388 patched version) _
minimist 1.1.1 ➔ 1.2.3;Note:
minimist@1.2.3 has fixed the vulnerabilities CVE-2020-7598 and npmjs-advisories-1179
(3)In fis3@3.3.*, you can kindly try to perform the following upgrades (not crossing their major versions):
glob 5.0.3 ➔ 5.0.15;Note:
_glob@5.0.15 directly depends on minimatch@3.0.4(a vulnerability CVE-2016-10540 and SNYK-JS-MINIMATCH-1019388 patched version) _
minimist 1.1.1 ➔ 1.2.3;Note:
minimist@1.2.3 has fixed the vulnerabilities CVE-2020-7598 and npmjs-advisories-1179
Thanks for your contributions to the npm ecosystem!
Best regards,
Paimon
The text was updated successfully, but these errors were encountered: