[FOLIO-3731] api_doc: json-ptr ^3.0.0, marked ^2.0.0, underscore ^1.12.1 Created: 03/Mar/23  Updated: 04/Mar/23  Resolved: 04/Mar/23

Status: Closed
Project: FOLIO
Components: Continuous Integration
Affects versions: None
Fix versions: None

Type: Bug Priority: TBD
Reporter: Julian Ladisch Assignee: Julian Ladisch
Resolution: Done Votes: 0
Labels: security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Sprint: DevOps Sprint 160
Development Team: FOLIO DevOps
RCA Group: Related dependency upgrade

 Description   

https://github.com/folio-org/folio-tools/blob/d051136/api-doc/deref-schema.js

uses vulnerable indirect dependencies. We only fix the most critical ones.

Upgrade json-ptr from 0.1.1 to >= 3.0.0 fixing Prototype Pollution: https://nvd.nist.gov/vuln/detail/CVE-2021-23509

Upgrade underscore from 1.9.1 to >= 1.12.1 fixing Arbitrary Code Injection: Arbitrary Code Injection: https://nvd.nist.gov/vuln/detail/CVE-2021-23358

Upgrade marked from 1.2.9 to >= 2.0.0 fixing Regular Expression Denial of Service (ReDoS): https://nvd.nist.gov/vuln/detail/CVE-2021-21306

marked cannot be upgrade to >= 4.0.10 to fix more vulnerabilities because the major version bump from 2 to 4 causes a runtime failure.



 Comments   
Comment by David Crossley [ 04/Mar/23 ]

Thanks for solving that part.

This will be deployed with the next re-build of the Jenkins image FOLIO-3725 Closed .

For those repos that now use this via Workflows FOLIO-3678 Closed , it is in use immediately.

Generated at Thu Feb 08 23:30:17 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.