Done
Details
Details
Assignee
Ryan Berger
Ryan Berger
Reporter
Julian Ladisch
Julian LadischPriority
P3Sprint
None
Development Team
Stripes Force
Fix versions
TestRail: Cases
Open TestRail: Cases
TestRail: Runs
Open TestRail: Runs
Created May 11, 2021 at 11:03 PM
Updated September 24, 2021 at 8:24 PM
Resolved May 21, 2021 at 6:56 PM
Overview:
yarn.lock contains dependencies with old versions that are vulnerable, resulting in security warnings sent to FOLIO security team.
Steps to Reproduce:
Open https://github.com/folio-org/eslint-config-stripes/security
Expected Results:
The "Dependabot alerts" bot ignores package.json dependencies with a vulnerable version where a compatible more recent version with a fix exist.
Actual Results:
The "Dependabot alerts" lists all dependencies that are listed in yarn.lock even if a compatible more recent version with a fix exist.
Additional Information:
**
yarn.lock is 12 months old. A dependency like
lodash "^4.17.4"has been resolved to {{"4.17.15"}} 12 months ago. This old version has security issues.However, resolving it today yields a fixed version "4.17.21".
yarn.lock is NOT used when some other module depends on eslint-config-stripes.
yarn.lock is only used by GitHub Dependabot, and the results are posted to the GitHub security tab https://github.com/folio-org/eslint-config-stripes/security , and create security warnings sent to FOLIO security team: https://folio-org.atlassian.net/wiki/display/SEC/
In the past yarn.lock was updated: https://github.com/folio-org/eslint-config-stripes/pull/65
This helps Dependabot and the security team.