[ESCONF-5] Remove yarn.lock Created: 11/May/21  Updated: 24/Sep/21  Resolved: 21/May/21

Status: Closed
Project: eslint-config-stripes
Components: None
Affects versions: 3.2.1
Fix versions: 6.0.0

Type: Bug Priority: P3
Reporter: Julian Ladisch Assignee: Ryan Berger
Resolution: Done Votes: 0
Labels: security, security-reviewed
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Sprint: stripes-force 114
Development Team: Stripes Force

 Description   

Overview:

yarn.lock contains dependencies with old versions that are vulnerable, resulting in security warnings sent to FOLIO security team.

Steps to Reproduce:

Open https://github.com/folio-org/eslint-config-stripes/security

Expected Results:

The "Dependabot alerts" bot ignores package.json dependencies with a vulnerable version where a compatible more recent version with a fix exist.

Actual Results:

The "Dependabot alerts" lists all dependencies that are listed in yarn.lock even if a compatible more recent version with a fix exist.

Additional Information:
**

yarn.lock is 12 months old. A dependency like lodash "^4.17.4" has been resolved to "4.17.15" 12 months ago. This old version has security issues.

However, resolving it today yields a fixed version "4.17.21".

yarn.lock is NOT used when some other module depends on eslint-config-stripes.

yarn.lock is only used by GitHub Dependabot, and the results are posted to the GitHub security tab https://github.com/folio-org/eslint-config-stripes/security , and create security warnings sent to FOLIO security team: https://folio-org.atlassian.net/wiki/display/SEC/

In the past yarn.lock was updated: https://github.com/folio-org/eslint-config-stripes/pull/65

This helps Dependabot and the security team.



 Comments   
Comment by Julian Ladisch [ 11/May/21 ]

Pull request to upgrade yarn.lock: https://github.com/folio-org/eslint-config-stripes/pull/81

Comment by Mike Gorrell [ 14/May/21 ]

The security team met and discussed. The yarn.lock file is not necessary so it may be removed... if not removed then please update it so that we don't continue to get these "false" warnings. Khalilah Gambrell

Comment by Khalilah Gambrell [ 17/May/21 ]

Agree Mike Gorrell. Change title to reflect requirement to Remove.

Generated at Thu Feb 08 22:14:33 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.