Project

General

Profile

Actions
Copy link

Bug #45949

closed

mgr/dashboard: Fix audit and update packages

Added by Tiago Melo almost 4 years ago. Updated about 3 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Tiago Melo
Category:
UI
Target version:
-
% Done:

0%

Source:
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
35366
Crash signature (v1):
Crash signature (v2):

Description

We need to fix some new npm audit vulnerabilities and update some packages.
While we can't fix all vulnerabilities, we can reduce them.

                       === npm audit security report ===                        

# Run  npm install --save-dev @angular-devkit/build-angular@0.901.7  to resolve 1 vulnerability
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ yargs-parser                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @angular-devkit/build-angular [dev]                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @angular-devkit/build-angular > webpack-dev-server > yargs > │
│               │ yargs-parser                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1500                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

# Run  npm update http-proxy --depth 4  to resolve 1 vulnerability
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Denial of Service                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ http-proxy                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @angular-devkit/build-angular [dev]                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @angular-devkit/build-angular > webpack-dev-server >         │
│               │ http-proxy-middleware > http-proxy                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1486                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ yargs-parser                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @ngx-translate/i18n-polyfill                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @ngx-translate/i18n-polyfill > yargs > yargs-parser          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1500                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ yargs-parser                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ htmllint-cli [dev]                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ htmllint-cli > yargs > yargs-parser                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1500                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 4 vulnerabilities (3 low, 1 high) in 2123 scanned packages
  run `npm audit fix` to fix 2 of them.
  2 vulnerabilities require manual review. See the full report for details.
Actions
Copy link
 #1

Updated by Tiago Melo almost 4 years ago

  • Status changed from In Progress to Fix Under Review
  • Pull request ID set to 35366
Actions
Copy link
 #2

Updated by Tiago Melo almost 4 years ago

  • Status changed from Fix Under Review to Resolved
Actions
Copy link
 #3

Updated by Ernesto Puerta about 3 years ago

  • Tracker changed from Fix to Bug
  • Project changed from mgr to Dashboard
  • Category changed from 165 to UI
  • Regression set to No
  • Severity set to 3 - minor
Actions
Copy link

Also available in: Atom PDF