3

I have a high sev git hub security vulnerability for js-yaml in my yarn.lock file on a rails app.

Remediation
Upgrade js-yaml to version 3.13.1 or later. For example:

js-yaml@^3.13.1:

  version "3.13.1"

I have run yarn upgrade js-yamlwhich has updated the version in my package.json: "js-yaml": "^3.13.1",

However the issue is still showing in github.

I have also tried removing yarn.lock and running yarn install as well as using a the deduplicate tool yarn-deduplicate ./yarn.lock (which has worked for me in other cases. However the venerability persists.

This is how js-yaml looks in my yarn.lock file:

js-yaml@^3.12.0, js-yaml@^3.13.1:
  version "3.13.1"
  resolved "https://registry.yarnpkg.com/js-yaml/-/js-yaml-3.13.1.tgz#aff151b30bfdfa8e49e05da22e7415e9dfa37847"
  integrity sha512-YfbcO7jXDdyj0DGxYVSlSeQNHbD7XPWvrVWeVUujrQEoZzWJIRrCPoyk6kL6IAjAG2IolMK4T0hNUe0HOUs5Jw==
  dependencies:
    argparse "^1.0.7"
    esprima "^4.0.0"

js-yaml@~3.7.0:
  version "3.7.0"
  resolved "https://registry.yarnpkg.com/js-yaml/-/js-yaml-3.7.0.tgz#5c967ddd837a9bfdca5f2de84253abe8a1c03b80"
  integrity sha1-XJZ93YN6m/3KXy3oQlOr6KHAO4A=
  dependencies:
    argparse "^1.0.7"
    esprima "^2.6.0"

I would like to know:

  1. How to fix this specific issue

  2. What are the best practices for keeping yarn.lock file up to date to avoid security vulnerabilities. It seems I am not the only one getting duplication issues when I yarn upgrade (EG https://github.com/yarnpkg/yarn/issues/3967) maybe there is something I could be doing differently?

tk421
  • 5,775
  • 6
  • 23
  • 34
saharkhankhan
  • 31
  • 6

1 Answers1

8

I have just run into the same situation. If you run yarn why js-yaml you might find out that js-yaml is a nested dependency so while you are upgrading js-yaml there is another dependency (mine for example was css-loader) that requires that older version of js-yaml. One solution (although this might not be the best, I'm sorry) is to run your upgrade: yarn upgrade js-yaml@version then add js-yaml as a resolution in package.json. Push your changes to github and the vulnerability error should go away. For information on Resolution see this link.

Alexander
  • 81
  • 3