Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix security vulnerability related to minimist #730

Closed
hakimelek opened this issue Mar 20, 2020 · 5 comments · Fixed by #778
Closed

Fix security vulnerability related to minimist #730

hakimelek opened this issue Mar 20, 2020 · 5 comments · Fixed by #778
Assignees
@James300 @pcln-james
Labels
docs

Comments

@hakimelek
Copy link
Collaborator

The problem needs to be fixed in webpack then to next.js, there is an existing next.js issue open to apply a fix. We will need to upgrade once that published.

From the automatic Github audit:

Remediation
Upgrade minimist to version 1.2.2 or later. For example:

"dependencies": {
  "minimist": ">=1.2.2"
}
or…
"devDependencies": {
  "minimist": ">=1.2.2"
}

Always verify the validity and compatibility of suggestions with your codebase.

GHSA-7fhm-mqm4-2wp7
moderate severity
Vulnerable versions: < 1.2.2
Patched version: 1.2.2
There are high severity security vulnerabilities in two of ESLints dependencies:

  • acorn
  • minimist

The releases 1.8.3 and lower of svjsl (JSLib-npm) are vulnerable, but only if installed in a developer environment. A patch has been released (v1.8.4) which fixes these vulnerabilities.

Identifiers:

CVE-2020-7598
SNYK-JS-ACORN-559469 (does not have a CVE identifier)
@hakimelek hakimelek added the docs label Mar 20, 2020
@pcln-james
Copy link
Contributor

Initial investigation revealed that mdx-docs still has dependencies that include vulnerable versions of the minimist package. Since we plan to remove the docs application and move solely to a storybook docs solution, I suggest that we move towards that happening than fixing this issue. @sdalonzo @hakimelek @craigpalermo thoughts?

@craigpalermo
Copy link
Collaborator

@pcln-james Makes sense to me. There's not much we can do if there's still a vulnerability in mdx-docs. Do we already have an issue to discuss moving to Storybook for docs?

@hakimelek
Copy link
Collaborator Author

@James300 @craigpalermo I am a fan of our docs website and really think it's better to walkthrough and navigate than storybook. But I understand if that would add an overhead to the team to maintain since everything is tested and developed in storybook.

Also, it seems like fixing this security problem would require us to move out of react-live which seems to be still depending on [email protected] even with its newer version. I like using that feature and I think we should consider supporting it in every of our stories moving forward.

@craigpalermo craigpalermo mentioned this issue Apr 21, 2020
Open
@craigpalermo
Copy link
Collaborator

Agreed with @hakimelek that we should try to preserve the react-live functionality with whatever we end up doing. I haven't really heard much about replacing the docs site with SB, but I think it'd make sense to open a separate issue to discuss that in greater detail.

#755

@craigpalermo
Copy link
Collaborator

@James300 volunteered to look into a PR for mdx-docs to resolve the security vulnerability.

@pcln-james pcln-james self-assigned this May 4, 2020
@pcln-james pcln-james mentioned this issue May 11, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@James300 James300

@pcln-james pcln-james

Labels
docs
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix npm vulnerabilities priceline/design-system
4 participants
@hakimelek @craigpalermo @James300 @pcln-james