Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Audit vulnerabilities in transitive package of patternfly-react #1207

Open
pratap0007 opened this issue Aug 13, 2020 · 1 comment · May be fixed by #1208
Open

Audit vulnerabilities in transitive package of patternfly-react #1207

pratap0007 opened this issue Aug 13, 2020 · 1 comment · May be fixed by #1208

Comments

@pratap0007
Copy link

Describe the issue. What is the expected and unexpected behavior?

  • Currently while using patternfly-react's latest version i.e 4.40.3 on excuting the npm audit it gives vulnerability in transitive package of patternfly-react
"dependencies": {
    "@patternfly/react-charts": "^5.0.13",
    "@patternfly/react-core": "4.40.3",
    "@patternfly/react-styles": "^3.5.27",
    "@patternfly/react-topology": "^2.8.65",
    "@types/node": "12.13.0",
    "@types/react": "16.9.7",
    "patternfly-react": "^2.39.5",
    "react": "^16.10.2",
  },
  • Here's the audit report for patternfly-react
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ dot-prop                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in>=5.1.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ patternfly-react                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ patternfly-react > react-ellipsis-with-tooltip >             │
│               │ semantic-release > @semantic-release/npm > npm > libnpx >    │
│               │ update-notifier > configstore > dot-prop                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1213                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ dot-prop                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in>=5.1.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ patternfly-react                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ patternfly-react > react-ellipsis-with-tooltip >             │
│               │ semantic-release > @semantic-release/npm > npm >             │
│               │ update-notifier > configstore > dot-prop                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1213                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Cross-Site Scripting                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ bootstrap-select                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in>=1.13.6                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ patternfly-react                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ patternfly-react > patternfly > bootstrap-select             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1522                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

Please provide the steps to reproduce. Feel free to link CodeSandbox or another tool.

Is this a bug or enhancement? If this issue is a bug, is this issue blocking you or is there a work-around?

What is your product and what release version are you targeting?
@redallen
Copy link
Contributor

The only relevant vulnerability is in patternfly-react > patternfly > bootstrap-select. Moving to the patternfly-3 repo.

@redallen redallen transferred this issue from patternfly/patternfly-react Sep 29, 2020
@redallen redallen linked a pull request Sep 29, 2020 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(deps): bump bootstrap-select and bootstrap-switch redallen/patternfly-3
2 participants
@pratap0007 @redallen