Vulnerable dependencies

[andreldm]

Hello guys, in Analytics Cloud we have a 7.1 theme that declares the following dependencies:

"devDependencies": {
	"gulp": "^3.8.10",
	"liferay-theme-deps-7.1": "8.1.2",
	"liferay-theme-tasks": "8.1.2"
}

All works fine, but in a security audit it was brought to our attention that some transitive dependencies are vulnerable. The affected packages are cli, lodash, minimatch, minimist and handlebars, they are dependencies of liferay-theme-tasks and gulp3.

We tried to update to 8.2.0 but the same vulnerabilities are reported by npm audit.

So, what can we do? Wait for a 8.x.x release with updated dependencies? What about gulp3?

[jbalsas]

Hey @andreldm, we've had quite a bit of a back and forth with those reports.

These vulnerabilities are build-time only. You're not exposing any of those through a webserver and are not exploitable in the traditional sense. There should be no needed action on your behalf.

In general, security vulnerabilities in dependencies are the ones that can be exploited and thus definitely require fixing.

We know credibility is just as important when it comes to security, so it'd be good if these were fixed. However, the amount of work they require of us is just too big to take on lightly. We'll eventually get rid of some of these, but they're not our priority right now.

I'll leave this open for now so other can chime in.

Feel free to add additional information and context here in case you feel there's something we're overlooking or that would up the importance of this issue.

[wincent]

In a sense this is a duplicate of #199 — that one goes into some additional/different detail about the points. I'd rather close this one and centralize the discussion there than have the conversation spread into two places, so I'm going to do that and copy the content over there. We can continue to discuss over there.