fix(security): upgrade 1 vulnerable package#249
Conversation
Security fixes: - fsevents: transitive → 2.3.3 Addresses vulnerabilities: - CVE-2023-45311 Automated security fix by Security Bot
razorgupta
added
dependencies
![semgrep-code-razorpay[bot]](https://avatars.githubusercontent.com/u/7713209?s=60&v=4){kind=small}
| "node": ">=4.0.0" | ||
| } | ||
| }, | ||
| "node_modules/webpack-dev-server": { |
There was a problem hiding this comment.
High severity vulnerability may affect your project—review required:
Line 8578 lists a dependency (webpack-dev-server) with a known High severity vulnerability.
ℹ️ Why this matters
Affected versions of webpack-dev-server are vulnerable to Improper Input Validation. Missing origin validation on webpack-dev-server's Hot Module Replacement websocket allows any webpage to connect to the dev server's socket, access in‐memory compiled assets and source code, and exfiltrate a developer's source files.
To resolve this comment:
Check if you are using webpack-dev-server with Hot Module Replacement enabled (i.e. using the --hot argument).
- If you're affected, upgrade this dependency to at least version 3.1.11 at examples/package-lock.json.
- If you're not affected, comment
/fp we don't use this [condition]
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
| "babel-runtime": "^6.26.0", | ||
| "babel-traverse": "^6.26.0", | ||
| "babel-types": "^6.26.0", | ||
| "babylon": "^6.18.0", | ||
| "lodash": "^4.17.4" | ||
| } | ||
| }, | ||
| "babel-traverse": { | ||
| "node_modules/babel-traverse": { |
There was a problem hiding this comment.
Critical severity vulnerability may affect your project—review required:
Line 1291 lists a dependency (babel-traverse) with a known Critical severity vulnerability.
ℹ️ Why this matters
Affected versions of @babel/traverse, babel-traverse, @babel/plugin-transform-runtime, @babel/preset-env, @babel/helper-define-polyfill-provider, babel-plugin-polyfill-corejs2, babel-plugin-polyfill-corejs3, babel-plugin-polyfill-es-shims, and babel-plugin-polyfill-regenerator are vulnerable to Incomplete List Of Disallowed Inputs. An attacker can exploit a vulnerability in the internal Babel methods path.evaluate() or path.evaluateTruthy() by compiling specially crafted code, potentially resulting in arbitrary code execution during compilation. babel-traverse does not have a fix version. If you are using babel-traverse, switch to @babel/traverse.
To resolve this comment:
Check if you use Babel to compile untrusted JavaScript.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
| "node": ">=0.10.0" | ||
| } | ||
| }, | ||
| "node_modules/union-value/node_modules/set-value": { |
There was a problem hiding this comment.
Critical severity vulnerability introduced by a package you're using:
Line 8165 lists a dependency (set-value) with a known Critical severity vulnerability. Fixing requires upgrading or replacing the dependency.
ℹ️ Why this matters
Affected versions of set-value and set-value are vulnerable to Improperly Controlled Modification Of Object Prototype Attributes ('Prototype Pollution'). The set function fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects.
To resolve this comment:
Upgrade this dependency to at least version 2.0.1 at examples/package-lock.json.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
| }, | ||
| "set-value": { | ||
| "node_modules/set-value": { |
There was a problem hiding this comment.
Critical severity vulnerability introduced by a package you're using:
Line 7242 lists a dependency (set-value) with a known Critical severity vulnerability. Fixing requires upgrading or replacing the dependency.
ℹ️ Why this matters
Affected versions of set-value and set-value are vulnerable to Improperly Controlled Modification Of Object Prototype Attributes ('Prototype Pollution'). The set function fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects.
To resolve this comment:
Upgrade this dependency to at least version 2.0.1 at examples/package-lock.json.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
razorgupta
changed the title
razorgupta
changed the title
|
Apologies — a script accidentally modified this PR's title and description. The original title has been restored. The description may need to be manually restored by the PR author. Sorry for the inconvenience. |
1 participant
Summary
package-lock.jsonto eliminate maliciousfseventsdependency (MAL-2023-462)Why delete the lock file instead of editing it?
fseventsis a transitive dependency — pulled in by webpack, chokidar, and other build tools — not a direct dependency inpackage.jsonnpm installwill generate a clean lock file with only safe versionsImpact Assessment
fseventsis an optional, macOS-only, transitive dependencyTest plan