Menu
We switched to the latest version (21) of cloud-s4-sdk-pipeline. The new features work, but we get npm dependency audit errors besides up-to-date dependency versions.
Summary of the findings
• High Arbitrary File Overwrite vulnerability found in dependency "tar", see https://npmjs.com/advisories/803 for details.
• High Code Injection vulnerability found in dependency "js-yaml", see https://npmjs.com/advisories/813 for details.
• Moderate Regular Expression Denial of Service vulnerability found in dependency "mime", see https://npmjs.com/advisories/535 for details.
• Moderate Regular Expression Denial of Service vulnerability found in dependency "underscore.string", see https://npmjs.com/advisories/745 for details.
• Moderate Prototype Pollution vulnerability found in dependency "lodash", see https://npmjs.com/advisories/782 for details.
• Moderate Denial of Service vulnerability found in dependency "js-yaml", see https://npmjs.com/advisories/788 for details.
Have you had a similar problem? Is there a solution available?
316
one of the main changes from v20 to v21 was that we're now auditing all package.json files which we can find in your project (same for whitesource scans).
I assume that this is the case in your project and therefore the new audit findings pop up.
I would recommend you to locally execute npm audit --fix in the directory of your package.json and commit the resulting package-lock.json. If this also does not fix you problem the last solution would be to mark those npm audit issues as "audited" in the pipeline_config.yaml as described here
116
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
