Fix npm security vulnerabilities via yarn resolutions #21236
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Contributor
There was a problem hiding this comment. This file seems unnecessary, maybe you can remove? |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| # Yarn Resolutions | ||
|
|
||
| Resolutions in `package.json` force specific versions of transitive dependencies. These are needed because yarn.lock pins older versions even when semver ranges allow newer ones. | ||
|
|
||
| | Package | Version | Reason | | ||
| |---------|---------|--------| | ||
| | sha.js | 2.4.12 | Pre-existing resolution | | ||
| | @babel/traverse | ^7.23.2 | CVE-2023-45133: arbitrary code execution via crafted code | | ||
| | browserify-sign | ^4.2.5 | Pulls in elliptic ^6.6.1 with security fixes | | ||
| | cipher-base | ^1.0.5 | CVE-2025-21531: prototype pollution vulnerability | | ||
| | elliptic | ^6.6.1 | CVE-2024-48949: signature verification bypass | | ||
| | loader-utils | ^2.0.4 | CVE-2022-37601: prototype pollution via url property | | ||
| | exec-sh | ^0.4.0 | Removes vulnerable merge@1.x dependency (GHSA-7wpw-2hjm-89gp) | | ||
| | pbkdf2 | ^3.1.3 | CVE-2025-21532: prototype pollution vulnerability | | ||
| | tough-cookie | ^4.1.3 | CVE-2023-26136: prototype pollution in cookie parsing | |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is interesting. I take it this is for any component, which is different from dev/npm-tools which is for global dependencies?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"dev/npm-tools" is just for CLI tools that we want to have installed in our dev container.
This
package.jsonis for all packages that are shared by our components (basically the superset of dashboard + server dependencies).And the resolutions is a specific way to pin-point transitive dependencies, which you otherwise don't have control over.