[UXPROD-2340] Remaining - Security update eslint to >= 6.2.1 or eslint-util >= 1.4.1 Created: 20/Mar/20  Updated: 16/Sep/21  Resolved: 15/Jul/20

Status: Closed
Project: UX Product
Components: None
Affects versions: None
Fix versions: Q2 2020

Type: New Feature Priority: P3
Reporter: Julian Ladisch Assignee: Ryan Berger
Resolution: Done Votes: 0
Labels: NFR, q1-2020-split, security, tech-debt
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Issue links:
Cloners
clones UXPROD-2240 Security update eslint to >= 6.2.1 or... Closed
Relates
relates to UIU-1446 Security update eslint to >= 6.2.1 or... Closed
relates to ERM-729 Security update eslint to >= 6.2.1 or... Closed
relates to STCOM-642 Security update eslint to >= 6.2.1 or... Closed
relates to STCON-93 Security update eslint to >= 6.2.1 or... Closed
relates to STCOR-412 Security update eslint to >= 6.2.1 or... Closed
relates to STRIPESFF-1 Security update eslint to >= 6.2.1 or... Closed
relates to STSMACOM-297 Security update eslint to >= 6.2.1 or... Closed
relates to UIAC-13 Security update eslint to >= 6.2.1 or... Closed
relates to UICAT-64 Security update eslint to >= 6.2.1 or... Closed
relates to UICHKIN-150 Security update eslint to >= 6.2.1 or... Closed
relates to UICHKOUT-586 Security update eslint to >= 6.2.1 or... Closed
relates to UICIRC-414 Security update eslint to >= 6.2.1 or... Closed
relates to UID-20 Security update eslint to >= 6.2.1 or... Closed
relates to UIDATIMP-370 Security update eslint to >= 6.2.1 or... Closed
relates to UIDATIMP-376 Security update eslint to >= 6.2.1 or... Closed
relates to UIEUS-127 Security update eslint to >= 6.2.1 or... Closed
relates to UIF-174 Security update eslint to >= 6.2.1 or... Closed
relates to UIIN-940 Security update eslint to >= 6.2.1 or... Closed
relates to UIMPROF-41 Security update eslint to >= 6.2.1 or... Closed
relates to UINV-112 Security update eslint to >= 6.2.1 or... Closed
relates to UIOR-499 Security update eslint to >= 6.2.1 or... Closed
relates to UIORGS-144 Security update eslint to >= 6.2.1 or... Closed
relates to UIPCITEM-6 Security update eslint to >= 6.2.1 or... Closed
relates to UIPFCONT-3 Security update eslint to >= 6.2.1 or... Closed
relates to UIPFI-7 Security update eslint to >= 6.2.1 or... Closed
relates to UIPFIMP-8 Security update eslint to >= 6.2.1 or... Closed
relates to UIPFINT-4 Security update eslint to >= 6.2.1 or... Closed
relates to UIPFO-7 Security update eslint to >= 6.2.1 or... Closed
relates to UIPFPOL-5 Security update eslint to >= 6.2.1 or... Closed
relates to UIPFU-24 Security update eslint to >= 6.2.1 or... Closed
relates to UIREC-40 Security update eslint to >= 6.2.1 or... Closed
relates to UIREQ-407 Security update eslint to >= 6.2.1 or... Closed
relates to UISE-117 Security update eslint to >= 6.2.1 or... Closed
relates to UISP-13 Security update eslint to >= 6.2.1 or... Closed
relates to UITAG-26 Security update eslint to >= 6.2.1 or... Closed
relates to UITEN-72 Security update eslint to >= 6.2.1 or... Closed
relates to UITEST-73 Security update eslint to >= 6.2.1 or... Closed
Development Team: Stripes Force

 Description   

https://github.com/mysticatea/eslint-utils/security/advisories/GHSA-3gx7-xhv7-5mx3 says:

'getStaticValue' function can execute arbitrary code

This can be fixed by updating eslint to >= 6.2.1 or updating eslint-util to >= 1.4.1.

Some examples which eslint version currently is in use:
5.6.1 https://github.com/folio-org/platform-core/blob/master/package.json#L45
4.19.1 https://github.com/folio-org/platform-complete/blob/master/package.json#L62
5.12.0: https://github.com/folio-org/eslint-config-stripes/blob/master/package.json#L16
5.0.0: https://github.com/folio-org/stripes/blob/master/package.json#L34

This should be fixed even if FOLIO is not affected by this issue. Otherwise people get used to ignore the GitHub security warnings and miss relevant security issues.



 Comments   
Comment by Khalilah Gambrell [ 15/Jul/20 ]

Peter Murray, Julian Ladisch, and Ryan Berger - Course reserves is the only app not to make this change https://folio-org.atlassian.net/browse/UICR-17. I am going to create a separate feature that covers course reserves and close this one.

cc: Kelly Drake and Charlotte Whitt

Comment by Peter Murray [ 15/Jul/20 ]

cc: Mike Gorrell

Comment by Charlotte Whitt [ 15/Jul/20 ]

thanks Khalilah Gambrell - we'll pick up the work in Q3 2020

Generated at Fri Feb 09 00:23:08 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.