sipwise
/
ngcp-csc-ui
mirror of https://github.com/sipwise/ngcp-csc-ui.git
1
0
Fork 0
Code Issues Releases Wiki Activity

MT#64579 Reduce npm audit vulnerabilities from 132 to 30

Browse Source 
- Removed `crypto-browserify` from package.json and quasar.config.js
  (unused webpack polyfill that was bundling vulnerable bn.js and
  elliptic into the production build)

Bumped up packages:
* glob
* globals
* jest
* @quasar/app-webpack

Yarn resolutions added
- `serialize-javascript: ^7.0.3` — fixes high-severity RCE vulnerability
  via RegExp.flags/Date.toISOString() (CVE in terser-webpack-plugin and
  @quasar/ssr-helpers paths)
- `**/postcss-svgo/svgo: ^4.0.1` — fixes high-severity Billion Laughs
  DoS (XML entity expansion) in cssnano's SVG optimization pipeline
- `dot-object/minimatch: ^3.1.2` — fixes high-severity ReDoS in
  dot-object's glob dependency
- `**/flatted: 3.4.0` — fixes high-severity unbounded recursion DoS
  in eslint and eslint-webpack-plugin's caching layer

What remains (30 vulnerabilities — all upstream-blocked)
The remaining vulnerabilities are entirely confined to dev-only
tooling and cannot be fixed without upstream releases:
- minimatch ReDoS across jest, @vue/test-utils, jest-serializer-vue,
  @quasar/app-webpack, @quasar/quasar-app-extension-testing-unit-jest
- ajv ReDoS across eslint, eslint-webpack-plugin, @quasar/app-webpack
- webpack SSRF (buildHttp feature, not used in this project)
- qs DoS in webpack-dev-server's express (local dev only)
- esbuild dev server CORS issue (local dev only)
- vue-template-compiler XSS (no patch available upstream)
- tmp symlink issue, @tootallnate/once control flow (test tooling only)

Change-Id: I72f34757538f97bb3495a57d7f0263df58102f1e
(cherry picked from commit 1ebe3c0683)
mr13.5
Debora Crescenzo 3 months ago committed by Crescenzo Debora
parent f01a95032f
commit 0cb639dc46
3 changed files with 1488 additions and 1292 deletions
Show Stats Download Patch File Download Diff File

18
package.json
Unescape View File

@ -34,7 +34,6 @@
"axios": "1.13.5",
"content-disposition": "^1.0.1",
"core-js": "^3.47.0",
"crypto-browserify": "3.12.1",
"decode-uri-component": "^0.4.0",
"eslint-plugin-no-relative-import-paths": "1.6.1",
"eslint-plugin-unused-imports": "4.3.0",
@ -64,7 +63,7 @@
"devDependencies": {
"@babel/eslint-parser": "^7.25.7",
"@babel/plugin-transform-private-methods": "7.27.1",
"@quasar/app-webpack": "4.3.1",
"@quasar/app-webpack": "4.4.1",
"@quasar/cli": "2.5.0",
"@quasar/quasar-app-extension-testing": "2.2.0",
"@quasar/quasar-app-extension-testing-unit-jest": "3.0.3",
@ -84,10 +83,10 @@
"eslint-plugin-quasar": "1.1.0",
"eslint-plugin-vue": "10.6.2",
"eslint-webpack-plugin": "5.0.2",
"glob": "13.0.1",
"globals": "16.5.0",
"glob": "13.0.6",
"globals": "17.4.0",
"is-valid-glob": "1.0.0",
"jest": "30.2.0",
"jest": "30.3.0",
"jest-serializer-vue": "3.1.0",
"js-yaml": "4.1.1",
"uuid": "13.0.0",
@ -95,11 +94,10 @@
"vuelidate": "^0.7.7"
},
"resolutions": {
"@isaacs/brace-expansion": "5.0.1",
"qs": "6.14.1",
"tar": "7.5.7",
"lodash": "4.17.23",
"lodash-es": "4.17.23"
"serialize-javascript": "^7.0.3",
"**/postcss-svgo/svgo": "^4.0.1",
"dot-object/minimatch": "^3.1.2",
"**/flatted": "3.4.0"
},
"browserslist": [
"last 10 Chrome versions",

1
quasar.config.js
Unescape View File

@ -134,7 +134,6 @@ export default async function (ctx) {
// https://quasar.dev/quasar-cli/handling-webpack
extendWebpack (cfg) {
cfg.resolve.fallback = {
crypto: 'crypto-browserify',
stream: 'stream-browserify',
vm: false
}

2761
yarn.lock
View File

File diff suppressed because it is too large Load Diff
Write Preview
Loading…
Cancel
Save