- Removed `crypto-browserify` from package.json and quasar.config.js (unused webpack polyfill that was bundling vulnerable bn.js and elliptic into the production build) Bumped up packages: * glob * globals * jest * @quasar/app-webpack Yarn resolutions added - `serialize-javascript: ^7.0.3` — fixes high-severity RCE vulnerability via RegExp.flags/Date.toISOString() (CVE in terser-webpack-plugin and @quasar/ssr-helpers paths) - `**/postcss-svgo/svgo: ^4.0.1` — fixes high-severity Billion Laughs DoS (XML entity expansion) in cssnano's SVG optimization pipeline - `dot-object/minimatch: ^3.1.2` — fixes high-severity ReDoS in dot-object's glob dependency - `**/flatted: 3.4.0` — fixes high-severity unbounded recursion DoS in eslint and eslint-webpack-plugin's caching layer What remains (30 vulnerabilities — all upstream-blocked) The remaining vulnerabilities are entirely confined to dev-only tooling and cannot be fixed without upstream releases: - minimatch ReDoS across jest, @vue/test-utils, jest-serializer-vue, @quasar/app-webpack, @quasar/quasar-app-extension-testing-unit-jest - ajv ReDoS across eslint, eslint-webpack-plugin, @quasar/app-webpack - webpack SSRF (buildHttp feature, not used in this project) - qs DoS in webpack-dev-server's express (local dev only) - esbuild dev server CORS issue (local dev only) - vue-template-compiler XSS (no patch available upstream) - tmp symlink issue, @tootallnate/once control flow (test tooling only) Change-Id: I72f34757538f97bb3495a57d7f0263df58102f1e (cherry picked from commitmr12.5.11ebe3c0683) (cherry picked from commit02f055d921)
Debora Crescenzo
3 months ago
committed by
Crescenzo Debora
parent
967365edd2
commit
35ef187d89
Loading…
Reference in new issue