Skip to content

Resolve security vulnerabilities

EFSA has security vulnerabilities.

The unique vulnerabilities are the following:

  • package: json5, Prototype Pollution in JSON5 via Parse Method
  • package: loader-utils, loader-utils is vulnerable to ReDoS
  • package: terser, Insecure use of regular expressions before v4.8.1 and v5.14.2 leads to ReDoS

By unique, I mean many packages are reporting vulnerabilities which all stem from those three.

I fixed 14 out of 36 of vulnerabilities with npx yarn-audit-fix. This fixes 3 out of 5 critical ones.

However, some packages aren't being patched quick enough. I assume we could create a fork and update their bad dependencies as a temporary solution.

Running npx yarn-audit-fix --force (yarn alternative to npm audit fix --force) fixed all the vulnerabilities but this is potentially breaking and is not generally recommended.

Copyright © Eclipse Foundation, Inc. All Rights Reserved.     Privacy Policy | Terms of Use | Copyright Agent