Skip to content

Commit

Permalink
fix: the CVEs of braces nth-check vite webpack-dev-middleware - 2024-07
Browse files Browse the repository at this point in the history
1. We have several high severity CVEs in the project and this intends to
fix a large batch of them by forcing the resolutions project-wide.
2. Longer term fix is to upgrade our direct dependencies that will have
upgraded their own direct and transitive dependencies to non-vulnerable
versions but while we wait for all the fixes to trickle up through our
dependency tree we need a solution that avoids having the vulnerable
versions installed.
3. This does not fix all the currently vulnerable dependencies of ours
because some of the dependencies have not shipped a fix yet at all and
in these cases our only other option would be to strip out the library
and re-implement something from scratch.
4. The dependencies which did not have a fix available I prefixed with "x-"
in the root package.json's resolutions declaration so that they are there
at least for reference and as soon as (hopefully soon) the fixes ship
we just need to remove the x- prefix to make it available.

Signed-off-by: Peter Somogyvari <[email protected]>
  • Loading branch information
petermetz committed Jul 11, 2024
1 parent f75d60e commit 4253d3f
Show file tree
Hide file tree
Showing 2 changed files with 202 additions and 1,063 deletions.
11 changes: 10 additions & 1 deletion package.json
Original file line number Diff line number Diff line change
Expand Up @@ -89,24 +89,33 @@
"@babel/traverse": ">=7.23.2",
"ansi-html": ">=0.0.8",
"axios": ">=0.27.2",
"braces": ">=3.0.3",
"x-dicer": ">0.3.1",
"engine.io": ">=6.4.2",
"get-func-name": ">=2.0.1",
"glob-parent": ">=5.1.2",
"x-hoek": ">6.1.3",
"http-cache-semantics": ">=4.1.1",
"x-ip": ">2.0.1",
"jsonwebtoken": ">=9.0.0",
"jsrsasign": ">=11.0.0",
"lodash": ">=4.17.21",
"x-minimatch": ">=3.0.5",
"minimist": ">=1.2.6",
"nano": ">=10.0.0",
"node-forge": ">=1.3.0",
"nth-check": ">=2.0.1",
"postcss": ">=8.4.31",
"protobufjs": ">=7.2.5",
"semver": ">=7.5.2",
"socket.io-parser": ">=4.2.3",
"tough-cookie": ">=4.1.3",
"underscore": ">=1.13.2",
"vite": ">4.5.1",
"webpack-dev-middleware": ">=6.1.2",
"ws": ">=1.1.5",
"xml2js": ">=0.5.0",
"yargs-parser": ">=18.1.1",
"underscore": ">=1.13.2",
"zod": ">=3.22.3"
},
"devDependencies": {
Expand Down
Loading

0 comments on commit 4253d3f

Please sign in to comment.