[FOLIO-3731] api_doc: json-ptr ^3.0.0, marked ^2.0.0, underscore ^1.12.1 Created: 03/Mar/23 Updated: 04/Mar/23 Resolved: 04/Mar/23 |
|
| Status: | Closed |
| Project: | FOLIO |
| Components: | Continuous Integration |
| Affects versions: | None |
| Fix versions: | None |
| Type: | Bug | Priority: | TBD |
| Reporter: | Julian Ladisch | Assignee: | Julian Ladisch |
| Resolution: | Done | Votes: | 0 |
| Labels: | security | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original estimate: | Not Specified | ||
| Sprint: | DevOps Sprint 160 |
| Development Team: | FOLIO DevOps |
| RCA Group: | Related dependency upgrade |
| Description |
|
https://github.com/folio-org/folio-tools/blob/d051136/api-doc/deref-schema.js uses vulnerable indirect dependencies. We only fix the most critical ones. Upgrade json-ptr from 0.1.1 to >= 3.0.0 fixing Prototype Pollution: https://nvd.nist.gov/vuln/detail/CVE-2021-23509 Upgrade underscore from 1.9.1 to >= 1.12.1 fixing Arbitrary Code Injection: Arbitrary Code Injection: https://nvd.nist.gov/vuln/detail/CVE-2021-23358 Upgrade marked from 1.2.9 to >= 2.0.0 fixing Regular Expression Denial of Service (ReDoS): https://nvd.nist.gov/vuln/detail/CVE-2021-21306 marked cannot be upgrade to >= 4.0.10 to fix more vulnerabilities because the major version bump from 2 to 4 causes a runtime failure. |
| Comments |
| Comment by David Crossley [ 04/Mar/23 ] |
|
Thanks for solving that part. This will be deployed with the next re-build of the Jenkins image
For those repos that now use this via Workflows
|