You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Checkout okta-signin-widget to a local directory.
Scan with a vulnerability scanner that checks included dependencies (we used Blackduck, but others (e.g. snyk) should also work)
It is still pull into our repo via @wdio/cli however. This a dev dependency (for testing only) and is not included in any bundles
jared:widget$ yarn why ejs
yarn why v1.22.19
[1/4] 🤔 Why do we have the module "ejs"...?
[2/4] 🚚 Initialising dependency graph...
[3/4] 🔍 Finding dependency...
[4/4] 🚡 Calculating file sizes...
=> Found "@okta/e2e#[email protected]"
info Reasons this module exists
- "_project_#@okta#e2e#@wdio#cli" depends on it
- Hoisted from "_project_#@okta#e2e#@wdio#cli#ejs"
- in the nohoist list ["/_project_/**/@wdio/**","/_project_/**/@types/ajv-errors","/_project_/**/@types/ajv-errors/**","/_project_/**/@types/eslint-scope","/_project_/**/eslint-scope","/_project_/**/@okta/okta-auth-js"]
info Disk size without dependencies: "180KB"
info Disk size with unique dependencies: "180KB"
info Disk size with transitive dependencies: "180KB"
info Number of shared dependencies: 0
✨ Done in 1.15s.
Describe the bug
okta-signin-widget reports CVE-2023-29827 because package.json includes the 'ejs' template library.
CVE-2023-29827 - NVD - CVE-2023-29827 1.
The Okta developer's forum reports that this is because okta-signin-widget includes ejs, however ejs is not used in the component. (https://devforum.okta.com/t/okta-signin-widget-and-cve-2023-29827/25160)
Remove ejs from package.json
Reproduction Steps
Checkout okta-signin-widget to a local directory.
Scan with a vulnerability scanner that checks included dependencies (we used Blackduck, but others (e.g. snyk) should also work)
SDK Versions
System:
OS: Linux 5.15 Ubuntu 22.04.3 LTS 22.04.3 LTS (Jammy Jellyfish)
CPU: (4) x64 11th Gen Intel(R) Core(TM) i9-11950H @ 2.60GHz
Memory: 10.76 GB / 11.69 GB
Container: Yes
Shell: 5.1.16 - /bin/bash
Binaries:
Node: 18.17.1 - /usr/local/bin/node
Yarn: 1.22.19 - /usr/bin/yarn
npm: 9.6.7 - /usr/local/bin/npm
Additional Information
No response
The text was updated successfully, but these errors were encountered: