Browse Source

Bug 23025: security vulnerability detected in fstream < 1.0.12 defined in yarn.lock

This patch updates the version requirements for modules used by yarn.
Running "yarn upgrade" will upgrade the project's direct dependencies as
listed in package.json. However, the output of "yarn audit" will
identify more vulnerabilities with libraries further down the dependency
tree.

Adding a "resolutions" list in package.json seems to be the way to
include these upgrades in an installation.

After making these changes I ran "yarn install" and "yarn audit" again.
The audit reported no vulnerabilities.

Upgrading yarn.lock should allow for the installation of newer versions
of npm modules in new installations. I believe it is necessary to run
"yarn upgrade" on existing installations in order to bring dependencies
up to versions matching those on existing installations.

To test, run the yarn commands we use to compile SCSS in the staff
client and the opac:

yarn build
yarn build --view opac

They should complete without error.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
remotes/origin/19.11.x
Owen Leonard 3 years ago
committed by Martin Renvoize
parent
commit
78bf5b3ec6
Signed by: martin.renvoize GPG Key ID: 422B469130441A0F
  1. 5
      package.json
  2. 2260
      yarn.lock

5
package.json

@ -24,6 +24,11 @@
"type": "git",
"url": "git://git.koha-community.org/koha.git"
},
"resolutions": {
"minimatch": "^3.0.2",
"lodash": "^4.17.12",
"js-yaml": "^3.13.1"
},
"author": "",
"license": "GPL-3.0"
}

2260
yarn.lock

File diff suppressed because it is too large
Loading…
Cancel
Save