[FOLIO-2083] Fix security vulnerability reported for js-yaml < 3.13.1 Created: 06/Jun/19  Updated: 03/Jun/20  Resolved: 13/Jun/19

Status: Closed
Project: FOLIO
Components: None
Affects versions: None
Fix versions: None

Type: Bug Priority: P2
Reporter: Peter Murray Assignee: Zak Burke
Resolution: Done Votes: 0
Labels: frontend, security, triaged, ui-only
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Issue links:
Blocks
blocks FOLIO-2080 Fix security vulnerability reported f... Closed
Sprint:
Story Points: 3
Development Team: Prokopovych

 Description   

This affects both `platform-core` and `platform-complete`.

Remediation

Upgrade js-yaml to version 3.13.1 or later. For example:

js-yaml@^3.13.1:
 version "3.13.1"

Always verify the validity and compatibility of suggestions with your codebase.

Details

WS-2019-0063
high severity
Vulnerable versions: < 3.13.1
Patched version: 3.13.1

Js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file.



 Comments   
Comment by Zak Burke [ 09/Jun/19 ]

Fixed on #snapshot by purging unused dependencies in ui-calendar which created a transitive dep on js-yaml v3.7.0 via css-loader > cssnano > postcss-svgo > svgo. We'll have to wait until ui-calendar is formally released to mitigate this on #master.

Comment by Zak Burke [ 13/Jun/19 ]

ui-calendar v2.2.0 was published yesterday and as a result the vulnerable version of js-yaml has been purged from yarn.lock.

Generated at Thu Feb 08 23:18:05 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.