Bumped up packages:
* glob
* globals
* jest
* @quasar/app-webpack
Yarn resolutions added
- `serialize-javascript: ^7.0.3` — fixes high-severity RCE vulnerability
via RegExp.flags/Date.toISOString() (CVE in terser-webpack-plugin and
@quasar/ssr-helpers paths)
- `**/postcss-svgo/svgo: ^4.0.1` — fixes high-severity Billion Laughs
DoS (XML entity expansion) in cssnano's SVG optimization pipeline
- `dot-object/minimatch: ^3.1.2` — fixes high-severity ReDoS in
dot-object's glob dependency
- `**/flatted: 3.4.0` — fixes high-severity unbounded recursion DoS
in eslint and eslint-webpack-plugin's caching layer
What remains (30 vulnerabilities — all upstream-blocked)
The remaining vulnerabilities are entirely confined to dev-only
tooling and cannot be fixed without upstream releases:
- minimatch ReDoS across jest, @vue/test-utils, jest-serializer-vue,
@quasar/app-webpack, @quasar/quasar-app-extension-testing-unit-jest
- ajv ReDoS across eslint, eslint-webpack-plugin, @quasar/app-webpack
- webpack SSRF (buildHttp feature, not used in this project)
- qs DoS in webpack-dev-server's express (local dev only)
- esbuild dev server CORS issue (local dev only)
- vue-template-compiler XSS (no patch available upstream)
- tmp symlink issue, @tootallnate/once control flow (test tooling only)
Change-Id: I72f34757538f97bb3495a57d7f0263df58102f1e
(cherry picked from commit 1ebe3c0683)
mr11.5
Debora Crescenzo
3 months ago
parent
1e1206d323
commit
f8f5333275
Loading…
Reference in new issue