5

We switched to the latest version (21) of cloud-s4-sdk-pipeline. The new features work, but we get npm dependency audit errors besides up-to-date dependency versions.

Summary of the findings

•  High Arbitrary File Overwrite vulnerability found in dependency "tar", see https://npmjs.com/advisories/803 for details.
•  High Code Injection vulnerability found in dependency "js-yaml", see https://npmjs.com/advisories/813 for details.
•  Moderate Regular Expression Denial of Service vulnerability found in dependency "mime", see https://npmjs.com/advisories/535 for details.
•  Moderate Regular Expression Denial of Service vulnerability found in dependency "underscore.string", see https://npmjs.com/advisories/745 for details.
•  Moderate Prototype Pollution vulnerability found in dependency "lodash", see https://npmjs.com/advisories/782 for details.
•  Moderate Denial of Service vulnerability found in dependency "js-yaml", see https://npmjs.com/advisories/788 for details.

Have you had a similar problem? Is there a solution available?

Florian Wilhelm
  • 600
  • 4
  • 17
user11732455
  • 51
  • 1

1 Answers1

1

one of the main changes from v20 to v21 was that we're now auditing all package.json files which we can find in your project (same for whitesource scans).

I assume that this is the case in your project and therefore the new audit findings pop up.

I would recommend you to locally execute npm audit --fix in the directory of your package.json and commit the resulting package-lock.json. If this also does not fix you problem the last solution would be to mark those npm audit issues as "audited" in the pipeline_config.yaml as described here

floge77
  • 64
  • 4