[MODGQL-138] Dependency updates: json-ptr, underscore, xmldom; yarn.lock - FOLIO Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: TBD
Resolution: Done
Affects Version/s: 1.8.0
Fix Version/s: 1.9.0
Labels:
- security

Template:
Development Team:
Thor

Description

raml-1-parser has these vulnerable dependencies:

json-ptr before 2.1.0 has an arbitrary code executsation vulnerability https://nvd.nist.gov/vuln/detail/CVE-2020-7766
underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Execution via the template function: https://nvd.nist.gov/vuln/detail/CVE-2021-23358
xmldom before 0.5.0 allows maliciously crafted documents to make unexpected syntactic changes during XML processing https://nvd.nist.gov/vuln/detail/CVE-2021-21366

raml-1-parser is no longer maintained: https://www.npmjs.com/package/raml-1-parser

Task:

Use "resolutions" section in package.json to bump the dependencies to fixed versions.

In addition "yarn upgrade" yarn.lock. This enforces fixed versions and also signals GitHub's dependabot that mod-graphql no longer has potential security issues.

TestRail: Results

Attachments

Issue Links

relates to

MODGQL-128 Switch from raml-1-parser to a more modern and supported RAML/OpenAPI parser

Open

Activity

People

Assignee:: Mike Taylor

Reporter:: Julian Ladisch

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 14/May/21 8:37 PM

Updated:: 30/Nov/21 9:23 PM

Resolved:: 30/Nov/21 9:23 PM

Dependency updates: json-ptr, underscore, xmldom; yarn.lock