Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[VULNERABLE PACKAGE]: wicg-inert package still not completely removed from @carbon/[email protected] #11940

Open
2 tasks done
PatrikHysky opened this issue Jul 23, 2024 · 3 comments · Fixed by #11947
Open
2 tasks done

[VULNERABLE PACKAGE]: wicg-inert package still not completely removed from @carbon/[email protected] #11940

PatrikHysky opened this issue Jul 23, 2024 · 3 comments · Fixed by #11947
Assignees
@annawen1
Labels
bug Something isn't working dev Needs some dev work

Comments

@PatrikHysky
Copy link

Description

Follow up to #11919

Even after this fix, the vulnerable wicg-inert package is still being installed with @carbon/[email protected] as a dependency.

@carbon/[email protected] has a dependency on "carbon-components-react": "7.59.17" which in turn has a dependency on wicg-inert

This triggers a policy check failure during deployment on IBM CIO Hybrid Cloud Cirrus.

Getting policy evaluations
Found results for mend-scan
Successfully retrieved all evaluations

ITSS Chapter 5 2.3c:
Remediate or otherwise appropriately address before release of the IBM Product or Application all Critical and High severity vulnerabilities identified via security testing and which may affect the IBM Product or Application, including open source vulnerabilities.

We found 1 policy violations from mend-scan for this build.
Please resolve the following policy violations prior to release: 

ID: MSC-2024-9045
Score: 9.8
Source: null
Severity: critical
Library: wicg-inert	3.1.2
Description: This package has been identified by Mend as containing potential malicious functionality. The severity of the functionality can change depending on where the library is running (user's machine or backend server). The following risks were identified: Malware dropper – this package contains a Trojan horse, allowing the unauthorized installation of other potentially malicious software.

Component(s) impacted

all

Browser

No response

Carbon for IBM.com version

1.61.0

Severity

Severity 2 = Aspects of design is broken, and impedes users in a significant way, but there is a way to complete their tasks. Affects major functionality, has a workaround.

Application/website

IBM Redbooks

Package

@carbon/ibmdotcom-web-components, @carbon/web-components, @carbon/ibmdotcom-styles, @carbon/ibmdotcom-services, @carbon/ibmdotcom-utilities

CodeSandbox example

none

Steps to reproduce the issue (if applicable)

No response

Release date (if applicable)

No response

Code of Conduct
@PatrikHysky PatrikHysky added bug Something isn't working dev Needs some dev work labels Jul 23, 2024
@techtolentino
Copy link

We're getting the same Critical severity warning in our code base

@annawen1 annawen1 mentioned this issue Jul 25, 2024
Merged
@annawen1 annawen1 self-assigned this Jul 25, 2024
@annawen1 annawen1 moved this to Review in Carbon for IBM.com Jul 25, 2024
@annawen1 annawen1 linked a pull request Jul 25, 2024 that will close this issue
chore(dependency): update carbon-components-react version to remove wicg-inert security alert #11947
Merged
@techtolentino
Copy link

@annawen1 - thanks for these updates.

I'm a little confused - which version of @carbon/ibmdotcom-web-components can we use, so we don't have the wicg-inert subdependency?

@techtolentino
Copy link

@annawen1 - disregard, I think I'm confusing the packages and sub-deps

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@annawen1 annawen1

Labels
bug Something isn't working dev Needs some dev work
Projects
Carbon for IBM.com
Status: Review
Milestone
No milestone
3 participants
@techtolentino @PatrikHysky @annawen1