[FOLIO-2083] Fix security vulnerability reported for js-yaml < 3.13.1 Created: 06/Jun/19 Updated: 03/Jun/20 Resolved: 13/Jun/19 |
|
| Status: | Closed |
| Project: | FOLIO |
| Components: | None |
| Affects versions: | None |
| Fix versions: | None |
| Type: | Bug | Priority: | P2 |
| Reporter: | Peter Murray | Assignee: | Zak Burke |
| Resolution: | Done | Votes: | 0 |
| Labels: | frontend, security, triaged, ui-only | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original estimate: | Not Specified | ||
| Issue links: |
|
||||||||
| Sprint: | |||||||||
| Story Points: | 3 | ||||||||
| Development Team: | Prokopovych | ||||||||
| Description |
|
This affects both `platform-core` and `platform-complete`. RemediationUpgrade js-yaml to version 3.13.1 or later. For example:
js-yaml@^3.13.1:
version "3.13.1"
Always verify the validity and compatibility of suggestions with your codebase. DetailsWS-2019-0063 Js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file. |
| Comments |
| Comment by Zak Burke [ 09/Jun/19 ] |
|
Fixed on #snapshot by purging unused dependencies in ui-calendar which created a transitive dep on js-yaml v3.7.0 via css-loader > cssnano > postcss-svgo > svgo. We'll have to wait until ui-calendar is formally released to mitigate this on #master. |
| Comment by Zak Burke [ 13/Jun/19 ] |
|
ui-calendar v2.2.0 was published yesterday and as a result the vulnerable version of js-yaml has been purged from yarn.lock. |