Dependabot alerts #823

EmiM · 2021-05-12T10:58:48Z

This task is to sum up the progress of upgrading/removing vulnerable versions of packages OR keep information why we can't upgrade them.

Current vulnerabilities

Waggle:

lodash < 4.17.21 (blocked by orbitdb - lodash is dependency of libp2p)
hosted-git-info < 2.8.9 (blocked by eslint-plugin-import but they plan to remove the dependency: Security audit fails because of hosted-git-info vulnerability import-js/eslint-plugin-import#2048)
xmlhttprequest-ssl < 1.6.2 (blocked by orbitdb - lodash is dependency of ipfs)
private-ip < 2.0.0 (blocked by orbitdb - lodash is dependency of ipfs - Upgrade js-ipfs -> private-ip versions < 2.0.0 are vulnerable to SSRF attacks orbitdb/orbitdb#882)
node-forge < 0.10.0 (blocked by orbitdb)
ecstatic < 4.1.3 (dependency of http-server - I removed http-server because we don't use it anyway)
normalize-url <4.5.1 (blocked by orbitdb, dependency of ipfs)

ZbayLite

EmiM · 2021-05-12T11:22:02Z

EmiM · 2021-05-12T16:30:01Z

EmiM created this issue from a note in Zbay (Backlog) May 12, 2021

EmiM changed the title ~~Waggle - dependabot alerts~~ Dependabot alerts May 12, 2021

EmiM removed this from Backlog in Zbay Jun 11, 2021

EmiM added this to Backlog in Quiet Jun 14, 2021

Provide feedback