Twistlock Vulnerability for node-fetch v1.7.3

[brandydanner-gsa]

The Twistlock results from 1/18/2024 for sam-frontend-entity show two vulnerabilities for the node-fetch v1.7.3 package:

https://nvd.nist.gov/vuln/detail/CVE-2020-15168
https://nvd.nist.gov/vuln/detail/CVE-2022-0235

In sam-frontend-entity, node-fetch is not in package.json, but is found in package-lock.json.

I traced node-fetch up the dependency tree to a dependency for react-syntax-highlighter in sam-styles:

"node_modules/@gsa-sam/sam-styles": {
      "version": "3.0.18",
      "resolved": "https://artifactory.helix.gsa.gov/artifactory/api/npm/ART-001-GP-SFE-npm/@gsa-sam/sam-styles/sam-styles-3.0.18.tgz",
     ...
      "dependencies": {
        ...
        "react-syntax-highlighter": "^15.5.0",
        ...
      }
    },

[davereed]

Check to see that we are on the latest version and has no vulnerability.

[brandydanner-gsa]

Check to see that we are on the latest version and has no vulnerability.

The vulnerability for node-fetch 1.7.3 is still found in each Twistlock report that we run.

[cwolf10]

Hey Brandy, I just took a look at our packages for this vulnerability. I am not seeing v1.7.3 of node-fetch anywhere in our lock file for sam-styles. The only version I see is 2.6.9.

However, I am seeing 1.7.3 in sam-design-system. It appears to be coming from accessible-html5-video-player. @davereed, this is one of those packages that has not been updated in a while, 6 years in this case. How should we move forward to resolve this?