fix js-yaml vulnerability (transitive dependency) #678
Conversation
|
👋 karen-stepanyan, thanks for creating this pull request! To help reviewers, please consider creating future PRs as drafts first. This allows you to self-review and make any final changes before notifying the team. Once you're ready, you can mark it as "Ready for review" to request feedback. Thanks! |
NPM Publishing labels 🏷️🔵 This PR has the |
package.json
Outdated
| "arrowParens": "always" | ||
| }, | ||
| "resolutions": { | ||
| "**/js-yaml": "3.14.2" |
There was a problem hiding this comment.
Will this break the dependencies that need the next major version js-yaml@^4.1.0?
I'm wondering if we can instead only resolve the concerning version e.g.
"**/js-yaml@3.14.1": "^3.14.2"
There was a problem hiding this comment.
I don't think it will break, but I changed it to supertap/js-yaml which seems to be the issue. unfortunately ava dependency that we use is on latest version, but is using older dependency internally, so we have to use resolutions
There was a problem hiding this comment.
Is there any issue with targeting 3.14.1 for resolution specifically? Rather than all versions of supertap/js-yaml
There was a problem hiding this comment.
Also can we use ^3.14.2, so we still pick up new versions?
There was a problem hiding this comment.
3.14.1 contains the vulnerability. the minimum version should be 3.14.2.
all of other deps are actually locked to a specific version, and we let depandabot or renovate bot to handle package updates.
|
Are we actually at risk of parsing untrusted yaml? Or can we just wait for ava to update their dependencies? |
|
I don't think we are at risk, but we have to resolve those security issues now. |
3 participants
https://github.com/smartcontractkit/ea-framework-js/security/dependabot/50