Security Vulnerabilities in package-lock.json #116

benabus · 2021-03-16T15:06:09Z

We've been notified by our enterprise github that there are numerous security vulnerabilities in package-lock.json:

ini Known security vulnerability in 1.3.5
kind-of Known security vulnerability in 6.0.2
node-uuid Known security vulnerability in 1.4.0
serialize-javascript Known security vulnerability in 1.9.1
yargs-parser Known security vulnerability in 5.0.0

The text was updated successfully, but these errors were encountered:

w00fz · 2021-03-18T15:49:44Z

Usually these are on 3rd party nested dependencies.
I’ll give flex objects an update to use latest or everything.

w00fz · 2021-03-18T21:18:47Z

This is sorted now @benabus but the truth is, none of those reported vulnerabilities have any affect on the distributed JS from flex-objects. The bot is purely complaining about the package-lock.json and yarn.lock, which i have now updated accordingly.

As a precaution I have recompiled the JS but as expected, the source code has not changed at all.

Thanks for the heads-up and I'm glad to be on the safe side here, but I wouldn't worry about it having any security effect on your end.

Cheers,

mahagr assigned w00fz Mar 18, 2021

w00fz closed this as completed Mar 18, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security Vulnerabilities in package-lock.json #116

Security Vulnerabilities in package-lock.json #116

benabus commented Mar 16, 2021

w00fz commented Mar 18, 2021

w00fz commented Mar 18, 2021

Security Vulnerabilities in package-lock.json #116

Security Vulnerabilities in package-lock.json #116

Comments

benabus commented Mar 16, 2021

w00fz commented Mar 18, 2021

w00fz commented Mar 18, 2021