Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

High Priority Vulnerabilities #1691

Closed
SorsOps opened this issue Mar 15, 2023 · 2 comments
Closed

High Priority Vulnerabilities #1691

SorsOps opened this issue Mar 15, 2023 · 2 comments
Labels
dependencies Pull requests that update a dependency file

Comments

@SorsOps
Copy link
Member

SorsOps commented Mar 15, 2023

Describe the bug
The prod bundle we emit for the figma plugin only has 2 remaining high priority vulnerabilities.

  1. Prototype pollution arising from set-value GHSA-4jqc-8m5r-9rpr
  2. ReDos vulnerability for minimatch GHSA-f8q6-p94x-37v3

Neither have any real impact to the security of the plugin, however they are affecting auditing reports.

1 relies on a major version upgrade, https://github.com/tokens-studio/figma-plugin/actions/runs/4431195197 shows that this introduces a major regression

  1. Seems more manageable, https://github.com/tokens-studio/figma-plugin/actions/runs/4431205127 shows that it does also cause a regression , but is localized for the cypress testing.

We will likely need to get surgical with the package-lock.json and manually remediate these
@SorsOps SorsOps added the dependencies Pull requests that update a dependency file label Mar 15, 2023
@SorsOps
Copy link
Member Author

SorsOps commented Mar 22, 2023

The minimatch vulnerability should be solved in #1707

Set-value is much harder to resolve

@six7 six7 moved this from 📥 Triage to 🤞 To be released in Tokens Studio for Figma Roadmap Mar 25, 2023
@six7
Copy link
Collaborator

six7 commented Mar 27, 2023

Fixed in 1.35.3

@six7 six7 closed this as completed Mar 27, 2023
@github-project-automation github-project-automation bot moved this from 🤞 To be released to ✅ Done in Tokens Studio for Figma Roadmap Mar 27, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
Tokens Studio for Figma Roadmap
Status: ✅ Done
Milestone
No milestone
Development

No branches or pull requests
2 participants
@six7 @SorsOps