[UINOTES-35] Fix security vulnerability reported for js-yaml < 3.13.1 Created: 06/Jun/19  Updated: 24/Jun/19  Resolved: 24/Jun/19

Status: Closed
Project: ui-notes
Components: None
Affects versions: None
Fix versions: 1.2.0

Type: Bug Priority: TBD
Reporter: Peter Murray Assignee: Sobha Duvvuri
Resolution: Cannot Reproduce Votes: 0
Labels: epam-spitfire, front-end, security, ui-only
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Issue links:
Blocks
blocks FOLIO-2080 Fix security vulnerability reported f... Closed
Relates
relates to UXPROD-1299 eholdings - Notes Support Closed
Sprint: eHoldings Sprint 66
Development Team: Spitfire

 Description   

Remediation

Upgrade js-yaml to version 3.13.1 or later.
For example:         

js-yaml@^3.13.1:
 version "3.13.1"

Always verify the validity and compatibility of suggestions with your codebase.

Details

WS-2019-0063
high severity
Vulnerable versions: < 3.13.1
Patched version: 3.13.1

Js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file.



 Comments   
Comment by Zak Burke [ 13/Jun/19 ]

I think this was a transitive dependency that appears to have been resolved automatically somewhere down the dep tree. Agreed, Igor Godlevskyi?

Comment by Sobha Duvvuri [ 24/Jun/19 ]

Waiting on response from Peter Murray to understand if this still needs to be tackled.

Observations are as follows:
1. We cannot see these security vulnerabilities either in github or in sonarcloud
2. These are inner dependencies of dependencies and when looked in the yarn.lock file, looks like these libraries are being resolved to the correct versions - the ones without the security issues; which is why we want to confirm if these still need to be fixed.
3. Modifying the yarn.lock file directly might not make sense since its possible that it gets regenerated automatically.

Comment by Sobha Duvvuri [ 24/Jun/19 ]

Per Peter Murray, These were reported by GitHub's vulnerability scan, and GitHub is no longer showing the vulnerabilities. So, closing this as non-reproducible.

Generated at Thu Feb 08 23:18:04 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.