[ESCONF-5] Remove yarn.lock Created: 11/May/21 Updated: 24/Sep/21 Resolved: 21/May/21 |
|
| Status: | Closed |
| Project: | eslint-config-stripes |
| Components: | None |
| Affects versions: | 3.2.1 |
| Fix versions: | 6.0.0 |
| Type: | Bug | Priority: | P3 |
| Reporter: | Julian Ladisch | Assignee: | Ryan Berger |
| Resolution: | Done | Votes: | 0 |
| Labels: | security, security-reviewed | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original estimate: | Not Specified | ||
| Sprint: | stripes-force 114 |
| Development Team: | Stripes Force |
| Description |
|
Overview: yarn.lock contains dependencies with old versions that are vulnerable, resulting in security warnings sent to FOLIO security team. Steps to Reproduce: Open https://github.com/folio-org/eslint-config-stripes/security Expected Results: The "Dependabot alerts" bot ignores package.json dependencies with a vulnerable version where a compatible more recent version with a fix exist. Actual Results: The "Dependabot alerts" lists all dependencies that are listed in yarn.lock even if a compatible more recent version with a fix exist. Additional Information: yarn.lock is 12 months old. A dependency like lodash "^4.17.4" has been resolved to "4.17.15" 12 months ago. This old version has security issues. However, resolving it today yields a fixed version "4.17.21". yarn.lock is NOT used when some other module depends on eslint-config-stripes. yarn.lock is only used by GitHub Dependabot, and the results are posted to the GitHub security tab https://github.com/folio-org/eslint-config-stripes/security , and create security warnings sent to FOLIO security team: https://folio-org.atlassian.net/wiki/display/SEC/ In the past yarn.lock was updated: https://github.com/folio-org/eslint-config-stripes/pull/65 This helps Dependabot and the security team. |
| Comments |
| Comment by Julian Ladisch [ 11/May/21 ] |
|
Pull request to upgrade yarn.lock: https://github.com/folio-org/eslint-config-stripes/pull/81 |
| Comment by Mike Gorrell [ 14/May/21 ] |
|
The security team met and discussed. The yarn.lock file is not necessary so it may be removed... if not removed then please update it so that we don't continue to get these "false" warnings. Khalilah Gambrell |
| Comment by Khalilah Gambrell [ 17/May/21 ] |
|
Agree Mike Gorrell. Change title to reflect requirement to Remove. |