[jira] [Closed] (TINKERPOP-2572) Upgrade dependencies to fix security vulnerabilities

Tue, 01 Jun 2021 16:05:07 -0700 


     [ 
https://issues.apache.org/jira/browse/TINKERPOP-2572?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Øyvind Sæbø closed TINKERPOP-2572.
----------------------------------
    Resolution: Invalid

It turns out that package-lock.json is gitignored globally in the tinkerpop 
repo, so the package-lock.json file with the affected versions is not committed 
and only existed locally on my computer.

That being said, I think it's a bit of an anti-pattern to gitignore the  
package-lock.json file as it means that users who have an older 
package-lock.json file might install older versions of the dependencies with 
security vulnerabilities, while users who don't already have a 
package-lock.json file will get a more up-to-date package-lock.json file when 
running npm install. For deterministic installs I think it would be preferable 
that the package-lock.json file was committed and that versions were managed 
more explicitly.

> Upgrade dependencies to fix security vulnerabilities
> ----------------------------------------------------
>
>                 Key: TINKERPOP-2572
>                 URL: https://issues.apache.org/jira/browse/TINKERPOP-2572
>             Project: TinkerPop
>          Issue Type: Improvement
>          Components: gremlint
>    Affects Versions: 3.5.0
>            Reporter: Øyvind Sæbø
>            Assignee: Øyvind Sæbø
>            Priority: Trivial
>             Fix For: 3.5.0
>
>   Original Estimate: 24h
>  Remaining Estimate: 24h
>
> A few of Gremlint's indirect dependencies have vulnerabilities listed in the 
> GitHub Advisory Database.
> Specifically the following should be done:
>  * Upgrade ws to version 7.4.6 or later (moderate severity) [1].
>  * Upgrade lodash to version 4.17.21 or later (high severity) [2].
>  * Upgrade hosted-git-info to version 2.8.9 or later (moderate severity) [3].
>  * Upgrade y18n to version 4.0.1 or later (high severity) [4].
>  * Upgrade node-notifier to version 8.0.1 or later (moderate severity) [5].
> [1] [https://github.com/advisories/GHSA-6fc8-4gx4-v693]
> [2] [https://github.com/advisories/GHSA-35jh-r3h4-6jhm]
> [3] [https://github.com/advisories/GHSA-43f8-2h32-f4cj]
> [4] [https://github.com/advisories/GHSA-c4w7-xm78-47vh]
> [5] [https://github.com/advisories/GHSA-5fw9-fq32-wv5p]



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to