[ESCONF-3] Fix `eslint-config-stripes` security vulnerability reported in minimist < 1.2.2 Created: 24/Mar/20  Updated: 19/Oct/20  Resolved: 26/Jun/20

Status: Closed
Project: eslint-config-stripes
Components: None
Affects versions: None
Fix versions: None

Type: Task Priority: P3
Reporter: Peter Murray Assignee: Ryan Berger
Resolution: Done Votes: 0
Labels: security, ui-only
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Issue links:
Relates
relates to UXPROD-2579 Q3 2020 - Stripes - Tech debt Closed
Sprint: stripes-force 91, stripes-force 88
Development Team: Stripes Force

 Description   

Remediation

Upgrade minimist to version 1.2.2 or later. For example:

    minimist@^1.2.2:
        version "1.2.2"

Always verify the validity and compatibility of suggestions with your codebase.

Details

GHSA-7fhm-mqm4-2wp7

moderate severity

*Vulnerable versions:* < 1.2.2

*Patched version:* 1.2.2

There are high severity security vulnerabilities in two of ESLints dependencies:

The releases 1.8.3 and lower of svjsl (JSLib-npm) are vulnerable, but only if installed in a developer environment. A patch has been released (v1.8.4) which fixes these vulnerabilities.

Identifiers:

  • CVE-2020-7598
  • SNYK-JS-ACORN-559469 (does not have a CVE identifier)


 Comments   
Comment by Peter Murray [ 25/Mar/20 ]

Khalilah Gambrell: Could you work this into Stripes Force sprint planning, please?

Comment by Khalilah Gambrell [ 25/Mar/20 ]

Peter Murray - will do.

Comment by Ryan Berger [ 26/Jun/20 ]

Merged resolution into `platform-core` and `platform-complete` snapshot branches.

Generated at Thu Feb 08 23:21:20 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.