-
Notifications
You must be signed in to change notification settings - Fork 28
Deal with security vulnerabilities reported by yarn audit
#199
Comments
This drops us from: 111 vulnerabilities found - Packages audited: 144859 Severity: 42 Low | 33 Moderate | 36 High to: 107 vulnerabilities found - Packages audited: 144813 Severity: 40 Low | 31 Moderate | 36 High This commit target the 8.x branch; I'll make the corresponding change for "master" (v9) separately. Related: #199
Unused as of d18596c. This drops `yarn audit` from: 107 vulnerabilities found - Packages audited: 144813 Severity: 40 Low | 31 Moderate | 36 High to: 105 vulnerabilities found - Packages audited: 139619 Severity: 38 Low | 31 Moderate | 36 High This commit targets the v8.x branch, but I will apply a similar change to "master" (the v9 branch). Related: #199
Three reasons to delete this: 1. It doesn't actually work: #110 2. We wanted to simplify the structure of the monorepo anyway: #164 3. It has ancient dependencies which add noise to `yarn audit`: #199 `yarn audit` goes from: 105 vulnerabilities found - Packages audited: 139619 Severity: 38 Low | 31 Moderate | 36 High to: 94 vulnerabilities found - Packages audited: 135401 Severity: 34 Low | 28 Moderate | 32 High with this change. We target v8 of the toolbox in this change, but I will make the equivalent change in the "master" (v9) branch as well. A later step will be to address #110, but that will involve completely rethinking and reimplenting how we do ES2015 support.
Drops `yarn audit` from: 94 vulnerabilities found - Packages audited: 135401 Severity: 34 Low | 28 Moderate | 32 High to: 92 vulnerabilities found - Packages audited: 135399 Severity: 33 Low | 27 Moderate | 32 High This change targets the 8.x branch but I'll make the same change on the "master" (v9) branch too. Related: #199 Test plan: `yarn test` and run the layout generator with `yo ./packages/generator-liferay-theme/generators/layout`.
Address some yarn audit issues (for toolkit v8) (#199)
This is the v9 ("master" branch) version of 952ed2b. Unused as of d18596c. This drops `yarn audit` from: 45 vulnerabilities found - Packages audited: 538562 Severity: 18 Low | 11 Moderate | 16 High to: 43 vulnerabilities found - Packages audited: 533368 Severity: 16 Low | 11 Moderate | 16 High Related: #199
This is the v9 ("master" branch) version of ce6a145. Three reasons to delete this: 1. It doesn't actually work: #110 2. We wanted to simplify the structure of the monorepo anyway: #164 3. It has ancient dependencies which add noise to `yarn audit`: #199 `yarn audit` goes from: 43 vulnerabilities found - Packages audited: 533368 Severity: 16 Low | 11 Moderate | 16 High to: 32 vulnerabilities found - Packages audited: 529201 Severity: 12 Low | 8 Moderate | 12 High with this change. A later step will be to address #110, but that will involve completely rethinking and reimplenting how we do ES2015 support.
This is the v9 ("master" branch) version of fcfb74b. Drops `yarn audit` from: 32 vulnerabilities found - Packages audited: 529201 Severity: 12 Low | 8 Moderate | 12 High to: 30 vulnerabilities found - Packages audited: 529199 Severity: 11 Low | 7 Moderate | 12 High Related: #199 Test plan: `yarn test` and run the layout generator with `yo ./packages/generator-liferay-theme/generators/layout`.
Status update, as summarized here:
That's on the v9 ("master") branch. On the 8.x branch #216 dropped had the effects summarized here:
|
To keep all related discussion to this topic in one place, copying content from @andreldm in #492 here:
And @jbalsas' reply:
|
Created #504 to do a periodic audit, but will leave this one open as the "overview issue" to explain our overall stance on audits. |
Not going to transfer this issue to the new repo because we're handling dependency updates globally over there. |
We have a few open tickets for security problems reported by
yarn audit
(ornpm audit
). I am going to consolidate all the information in this issue and close these others:Related but not closing because it is a very large undertaking in itself:(edit: we did it in v10)Upgrade to Gulp v4 #148 ("Upgrade to Gulp v4")Current status (14 March 2019):
yarn audit
was reporting 204 vulnerabilities.gulp watch
on their local machines); the generated themes/themelets/layouts — which are what actually get exposed over the network — have tiny dependency footprints andyarn audit --groups dependencies
is clean for them.As such, our position is that addressing the remaining vulnerabilities is important but not urgent. It is unlikely that the reported vulnerability counts will go down from the number I quoted above in the next v8 or v9 releases. (They may, in fact, go up, because new vulnerabilities are routinely reported in old dependencies.) Moving forward, our aim will be to reduce the vulnerability count in subsequent v9 releases as close as practically possible to zero, with a clear prioritization of production/run-time vulnerabilities, with dev-time vulnerabilities being treated with less urgency.
To see current
dependencies
vulnerabilities, excludingdevDependencies
, as noted here:The text was updated successfully, but these errors were encountered: