Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[AzureRmWebAppDeploymentV3] Bump up version of lodash to resolve security alert #15374

Closed
DenisRumyantsev opened this issue Oct 6, 2021 · 1 comment
Closed

[AzureRmWebAppDeploymentV3] Bump up version of lodash to resolve security alert #15374

DenisRumyantsev opened this issue Oct 6, 2021 · 1 comment
Assignees
@nadesu
Labels
environment:under-investigation Task: AzureRmWebAppDeployment

Comments

@DenisRumyantsev
Copy link
Contributor

DenisRumyantsev commented Oct 6, 2021
edited
Loading

Task Name

AzureRmWebAppDeploymentV3

Issue Description

This task has dependencies on archiver and nock which have critical vulnerabilities.

Error logs

To get these error logs you can run npm audit from the Tasks\AzureRmWebAppDeploymentV3 directory:

PS D:\microsoft\azure-pipelines-tasks\Tasks\AzureRmWebAppDeploymentV3> npm audit

                       === npm audit security report ===                        

# Run  npm update lodash --depth 4  to resolve 5 vulnerabilities

  High            Command Injection
  Package         lodash
  Dependency of   archiver
  Path            archiver > archiver-utils > lodash
  More info       https://npmjs.com/advisories/1673

  High            Command Injection
  Package         lodash
  Dependency of   archiver
  Path            archiver > zip-stream > archiver-utils > lodash
  More info       https://npmjs.com/advisories/1673

  High            Command Injection
  Package         lodash
  Dependency of   archiver
  Path            archiver > async > lodash
  More info       https://npmjs.com/advisories/1673

  High            Command Injection
  Package         lodash
  Dependency of   archiver
  Path            archiver > lodash
  More info       https://npmjs.com/advisories/1673

  High            Command Injection
  Package         lodash
  Dependency of   archiver
  Path            archiver > zip-stream > lodash
  More info       https://npmjs.com/advisories/1673

To get these error logs you can run npm audit from the Tasks\AzureRmWebAppDeploymentV3\Tests directory:

PS D:\microsoft\azure-pipelines-tasks\Tasks\AzureRmWebAppDeploymentV3\Tests> npm audit

                       === npm audit security report ===

# Run  npm update lodash --depth 2  to resolve 5 vulnerabilities

  Low             Prototype Pollution
  Package         lodash
  Dependency of   nock [dev]
  Path            nock > lodash
  More info       https://npmjs.com/advisories/577

  High            Prototype Pollution
  Package         lodash
  Dependency of   nock [dev]
  Path            nock > lodash
  More info       https://npmjs.com/advisories/782

  High            Prototype Pollution
  Package         lodash
  Dependency of   nock [dev]
  Path            nock > lodash
  More info       https://npmjs.com/advisories/1065

  Low             Prototype Pollution
  Package         lodash
  Dependency of   nock [dev]
  Path            nock > lodash
  More info       https://npmjs.com/advisories/1523

  High            Command Injection
  Package         lodash
  Dependency of   nock [dev]
  Path            nock > lodash
  More info       https://npmjs.com/advisories/1673
@DenisRumyantsev DenisRumyantsev changed the title [AzureRmWebAppDeploymentV3] update dependencies to bump the lodash version in the package-lock.json [AzureRmWebAppDeploymentV3] Bump up version of lodash to resolve security alert Oct 6, 2021
@v-jkarri v-jkarri added environment:need-to-triage Issues need to be triage by environment-deployment team environment:under-investigation and removed bug environment:need-to-triage Issues need to be triage by environment-deployment team labels Oct 7, 2021
@v-saikumart
Copy link
Contributor

Dependencies has been updated. Please find the below PR for reference.
Thank you.
#15460

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nadesu nadesu

Labels
environment:under-investigation Task: AzureRmWebAppDeployment
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@DenisRumyantsev @nadesu @kuleshovilya @v-jkarri @v-saikumart