Update project npm dependencies to remove vulnerabilities #2518

KonstantinEpam23 · 2023-04-21T17:07:53Z

At the moment running npm audit shows 10 high severity vulnerabilities, these need to be fix in .

In general it is a good idea to keep dependencies updated for several reasons:

It can address known security vulnerabilities.
It can fix bugs and improve stability .
New versions of dependencies often come with performance improvements.
It can ensure that application remains compatible with other libraries and tools that we use.

Current npm audit output:

# npm audit report

minimatch  <3.0.5
Severity: high
minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3
fix available via `npm audit fix --force`
Will install serve@14.2.0, which is a breaking change
node_modules/serve-handler/node_modules/minimatch
  serve-handler  1.1.0 - 6.1.3
  Depends on vulnerable versions of minimatch
  node_modules/serve-handler
    serve  7.0.0 - 14.0.1
    Depends on vulnerable versions of serve-handler
    node_modules/serve

nth-check  <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix --force`
Will install @svgr/rollup@7.0.0, which is a breaking change
node_modules/nth-check
  css-select  <=3.1.0
  Depends on vulnerable versions of nth-check
  node_modules/svgo/node_modules/css-select
    svgo  1.0.0 - 1.3.2
    Depends on vulnerable versions of css-select
    node_modules/svgo
      @svgr/plugin-svgo  <=5.5.0
      Depends on vulnerable versions of svgo
      node_modules/@svgr/plugin-svgo
        @svgr/rollup  4.0.0 - 5.5.0
        Depends on vulnerable versions of @svgr/plugin-svgo
        node_modules/@svgr/rollup
        @svgr/webpack  4.0.0 - 5.5.0
        Depends on vulnerable versions of @svgr/plugin-svgo
        node_modules/@svgr/webpack
          react-scripts  >=2.1.4
          Depends on vulnerable versions of @svgr/webpack
          node_modules/react-scripts

10 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

The text was updated successfully, but these errors were encountered:

AlonNavon · 2023-08-01T11:56:50Z

Hey @KonstantinEpam23,

We're part of a startup called Seal Security that mitigates software vulnerabilities in older open source versions by backporting/creating standalone security patches - enabling more straightforward remediation in cases like this. We created an nth-check 1.02-sp1 that's vulnerability-free. As with all of our patches, it's open-source and available for free.

If relevant, check out our GitHub repo if you wish to learn more, or start using our app.

Please feel free to reach us at info@seal.security if you have any requests/questions.

) * #2518 - updated npm dependencies * #2518 - Remove unused 'openFile' variable declaration * #2518 - additional updates in dependenices * #2518 - additional updates in eslint dependenices * #2518 - fixed eslint confilcting files * #2518 - fixed eslint confilcting files * Fixed failing test --------- Co-authored-by: Gayane Chilingaryan <gayane_chilingaryan@epam.com> Co-authored-by: Nikita_Vozisov <Nikita_Vozisov@epam.com>

Zhirnoff · 2023-10-25T09:12:37Z

Not tested by QA.

KonstantinEpam23 added bug technical debt feature request labels Apr 21, 2023

KonstantinEpam23 added this to the Refined Backlog milestone Apr 21, 2023

KonstantinEpam23 self-assigned this Apr 21, 2023

KonstantinEpam23 removed bug feature request labels Apr 21, 2023

chgayane assigned chgayane and unassigned KonstantinEpam23 Sep 5, 2023

Nitvex modified the milestones: Refined Backlog, Ketcher 2.16.0-rc.1 Sep 6, 2023

chgayane pushed a commit that referenced this issue Sep 6, 2023

#2518 - updated npm dependencies

370fd07

chgayane pushed a commit that referenced this issue Sep 6, 2023

#2518 - Remove unused 'openFile' variable declaration

9ebb8a0

chgayane linked a pull request Sep 6, 2023 that will close this issue

#2518 - Update project npm dependencies to remove vulnerabilities #3266

Merged

9 tasks

chgayane pushed a commit that referenced this issue Sep 11, 2023

#2518 - additional updates in dependenices

c6de9b0

chgayane pushed a commit that referenced this issue Sep 11, 2023

#2518 - additional updates in eslint dependenices

8cddea7

chgayane pushed a commit that referenced this issue Sep 11, 2023

#2518 - fixed eslint confilcting files

05121e4

chgayane pushed a commit that referenced this issue Sep 11, 2023

#2518 - fixed eslint confilcting files

8a5facd

chgayane pushed a commit that referenced this issue Sep 12, 2023

#2518 - fixed tests

a6b2c91

Nitvex closed this as completed in #3266 Sep 22, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update project npm dependencies to remove vulnerabilities #2518

Update project npm dependencies to remove vulnerabilities #2518

KonstantinEpam23 commented Apr 21, 2023

AlonNavon commented Aug 1, 2023 •

edited

Loading

Zhirnoff commented Oct 25, 2023

Update project npm dependencies to remove vulnerabilities #2518

Update project npm dependencies to remove vulnerabilities #2518

Comments

KonstantinEpam23 commented Apr 21, 2023

AlonNavon commented Aug 1, 2023 • edited Loading

Zhirnoff commented Oct 25, 2023

AlonNavon commented Aug 1, 2023 •

edited

Loading