Uploaded image for project: 'ui-notes'
  1. ui-notes
  2. UINOTES-78

Fix security vulnerabilities reported by GitHub

    XMLWordPrintable

    Details

    • Template:
    • Sprint:
      eHoldings Sprint 87
    • Story Points:
      1
    • Development Team:
      Spitfire

      Description

      1 kind-of vulnerability

      found in yarn.lock 18 hours ago

      Remediation

      Upgrade kind-of to version 6.0.3 or later. For example:

      kind-of@^6.0.3:
        version "6.0.3"
      

      Always verify the validity and compatibility of suggestions with your codebase.

      Details

      CVE-2019-20149

      moderate severity

      *Vulnerable versions:* < 6.0.3

      *Patched version:* 6.0.3

      ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor':

      {'name':'Symbol'}

      . Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.

      1 ecstatic vulnerability

      found in yarn.lock yesterday

      Remediation

      No patched version is available.

      Details

      CVE-2019-10775

      moderate severity

      *Vulnerable versions:* <= 4.1.2

      *Patched version:* No fix

      ecstatic have a denial of service vulnerability. Successful exploitation could lead to crash of an application.

      1 minimist vulnerability

      found in yarn.lock 19 days ago

      h3 Remediation

      Upgrade minimist to version 1.2.2 or later. For example:

      minimist@^1.2.2:
       version "1.2.2"
      

      Always verify the validity and compatibility of suggestions with your codebase.

      Details

      GHSA-7fhm-mqm4-2wp7

      moderate severity

      *Vulnerable versions:* < 1.2.2

      *Patched version:* 1.2.2

      minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "*proto*" payload.

      1 acorn vulnerability

      found in yarn.lock 20 days ago

      Remediation

      Upgrade acorn to version 6.4.1 or later. For example:

      acorn@^6.4.1:
        version "6.4.1"
      

      Always verify the validity and compatibility of suggestions with your codebase.

      Details

      GHSA-7fhm-mqm4-2wp7

      moderate severity

      *Vulnerable versions:* >= 6.0.0, < 6.4.1

      *Patched version:* 6.4.1

      minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "*proto*" payload.

        TestRail: Results

          Attachments

            Issue Links

              Activity

                People

                Assignee:
                kgambrell Khalilah Gambrell
                Reporter:
                peter Peter Murray
                Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved:

                    TestRail: Runs

                      TestRail: Cases