Details
-
Bug
-
Status: Closed (View Workflow)
-
P3
-
Resolution: Done
-
3.2.1
-
stripes-force 114
-
Stripes Force
Description
Overview:
yarn.lock contains dependencies with old versions that are vulnerable, resulting in security warnings sent to FOLIO security team.
Steps to Reproduce:
Open https://github.com/folio-org/eslint-config-stripes/security
Expected Results:
The "Dependabot alerts" bot ignores package.json dependencies with a vulnerable version where a compatible more recent version with a fix exist.
Actual Results:
The "Dependabot alerts" lists all dependencies that are listed in yarn.lock even if a compatible more recent version with a fix exist.
Additional Information:
**
yarn.lock is 12 months old. A dependency like lodash "^4.17.4" has been resolved to "4.17.15" 12 months ago. This old version has security issues.
However, resolving it today yields a fixed version "4.17.21".
yarn.lock is NOT used when some other module depends on eslint-config-stripes.
yarn.lock is only used by GitHub Dependabot, and the results are posted to the GitHub security tab https://github.com/folio-org/eslint-config-stripes/security , and create security warnings sent to FOLIO security team: https://wiki.folio.org/display/SEC/
In the past yarn.lock was updated: https://github.com/folio-org/eslint-config-stripes/pull/65
This helps Dependabot and the security team.