Several vulnerabilities in dependencies #33
Description
Hi @majodev,
Issue
Six vulnerabilities (2 high,2 medium and 2 low severity) are introduced in @aaa-backend-stack/build-tools:
1.Vulnerability CVE-2020-28469 (medium severity) is detected in package glob-parent (versions: <5.1.2): https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905
2.Vulnerability CVE-2019-10795 (medium severity) is detected in package undefsafe (versions: <2.0.3): https://snyk.io/vuln/SNYK-JS-UNDEFSAFE-548940
3.Vulnerability CVE-2018-1109 (low severity) is detected in package braces (versions: <2.3.1): https://snyk.io/vuln/npm:braces:20180219
4.Vulnerability CVE-2020-8203 (low severity) is detected in package lodash (versions: <4.17.16): https://snyk.io/vuln/SNYK-JS-LODASH-567746
5.Vulnerability CVE-2021-23337 (high severity) is detected in package lodash (versions: <4.17.21): https://snyk.io/vuln/SNYK-JS-LODASHTEMPLATE-1088054
6.Vulnerability SNYK-JS-LODASH-608086 (high severity) is detected in package lodash (versions: <4.17.17): https://snyk.io/vuln/SNYK-JS-LODASH-608086
The above vulnerable packages are referenced by @aaa-backend-stack/build-tools via:
1.@aaa-backend-stack/[email protected] ➔ [email protected]
2.@aaa-backend-stack/[email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected]
3.@aaa-backend-stack/[email protected] ➔ [email protected] ➔ [email protected]
4.@aaa-backend-stack/[email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected]
Solution
Since @aaa-backend-stack/[email protected].* is transitively referenced by 18 downstream projects (e.g., @aaa-backend-stack/rest 2.4.5 (latest version),
@aaa-backend-stack/utils 2.4.4 (latest version), @aaa-backend-stack/graphql-rest-bindings 2.4.5 (latest version), @aaa-backend-stack/graphql 2.4.4 (latest version), @aaa-backend-stack/git-info 2.4.4 (latest version),
If @aaa-backend-stack/[email protected].* removes the vulnerable packages from the above version, then its fixed version can help downstream users decrease their pain.
Could you help update packages in these versions?
Fixing suggestions
In @aaa-backend-stack/[email protected].*, you can kindly perform the following upgrades (not crossing their major versions):
1.lodash 4.17.15 ➔ 4.17.21;
Note:
[email protected] has fixed the vulnerabilities CVE-2020-8203,CVE-2021-23337 and SNYK-JS-LODASH-608086 _
2.nodemon 1.11.0 ➔ 1.14.11;
Note:
nodemon 1.14.11 transitively depends on [email protected] (a vulnerability CVE-2018-1109 patched version);nodemon 1.14.11 directly depends on [email protected](a vulnerability CVE-2019-10795 patched version)
3.npm-watch 0.2.0 ➔ 0.7.0;
Note:
npm-watch 0.7.0 transitively depends on [email protected] (a vulnerability CVE-2020-28469 patched version)
Thanks for your contributions to the npm ecosystem!
Best regards,
Paimon