Fix security vulnerabilities in growl, lodash, debug

Description

GitHub reported these known security vulnerabilities against
https://github.com/folio-org/platform-erm/blob/master/yarn.lock
They also exist in
https://github.com/folio-org/platform-core/blob/master/yarn.lock
This needs to be fixed in platform-core where platform-erm gets the dependencies from.

growl
Version < 1.10.0
Upgrade to ~> 1.10.0
Vulnerabilities: CVE-2017-16042 Critical severity
Defined in yarn.lock

lodash
Version < 4.17.5
Upgrade to ~> 4.17.5
Vulnerabilities: CVE-2018-16487 Low severity; CVE-2018-3721 Moderate severity
Defined in yarn.lock

debug
Version < 2.6.9
Upgrade to ~> 2.6.9
Vulnerabilities: CVE-2017-16137 Low severity
Defined in yarn.lock

CSP Request Details

None

CSP Rejection Details

None

Potential Workaround

None

Attachments

Linked issues

Checklist

hide

TestRail: Results

Activity

Show:

Zak Burke May 9, 2019 at 3:13 PM

I believe stripes-testing depends on mocha merely because of its heritage: it used to be ui-testing and in that capacity both contained and invoked a bunch of mocha tests. `depcheck` agrees.

I'll remove it, and if that breaks things, I'll restore it and do some head scratching.

Khalilah Gambrell May 7, 2019 at 11:14 AM

, who can help with 's comments related to mocha tests?

Jason Skomorowski May 2, 2019 at 1:45 PM

Yup. Or someone else who understands why stripes-testing depends on mocha despite not containing any mocha tests nor invoking mocha in package.json.

Khalilah Gambrell April 30, 2019 at 3:29 PM
Edited

, is this the story that requires 's magic?

Jason Skomorowski April 26, 2019 at 8:57 PM

John worked some magic to forcibly reset a stuck cache and those commit got through CLI so now all the remains of this is updating stripes-testing's mocha and ya, I don't even know if it's using that dependency, maybe it can just be removed?

Done

Details
Assignee
Jason Skomorowski
Reporter
Julian Ladisch
Labels
security
Priority
P3
Sprint
None
Development Team
Stripes Force
TestRail: Cases
Open TestRail: Cases
TestRail: Runs
Open TestRail: Runs

Created March 13, 2019 at 12:23 PM

Updated May 9, 2019 at 8:40 PM

Resolved May 9, 2019 at 8:40 PM

Configure

TestRail: Cases

TestRail: Runs

Fix security vulnerabilities in growl, lodash, debug

Description

CSP Request Details

CSP Rejection Details

Potential Workaround

Attachments

Linked issues

is blocked by

is duplicated by

relates to

Checklist

TestRail: Results

Activity

Zak Burke May 9, 2019 at 3:13 PM

Khalilah Gambrell May 7, 2019 at 11:14 AM

Jason Skomorowski May 2, 2019 at 1:45 PM

Khalilah Gambrell April 30, 2019 at 3:29 PMEdited

Jason Skomorowski April 26, 2019 at 8:57 PM

DetailsAssigneeJason SkomorowskiJason SkomorowskiReporterJulian LadischJulian LadischLabelssecurityPriorityP3SprintNone+3Development TeamStripes ForceTestRail: CasesOpen TestRail: CasesTestRail: RunsOpen TestRail: Runs

Details

Assignee

Reporter

Labels

Priority

Sprint

Development Team

TestRail: Cases

TestRail: Runs

Khalilah Gambrell April 30, 2019 at 3:29 PM
Edited

Details
Assignee
Jason Skomorowski
Reporter
Julian Ladisch
Labels
security
Priority
P3
Sprint
None
Development Team
Stripes Force
TestRail: Cases
Open TestRail: Cases
TestRail: Runs
Open TestRail: Runs