Follow-up from the security readiness review (T227346). Several npm packages were identified as vulnerable or outdated. We should investigate each and either remediate the problem (i.e., upgrade) or document why that's not possible and when it will be.
Vulnerable Packages
As reported by npm audit and retirejs:
- jquery 3.3.1, prototype pollution
- dependency of wikimedia/mw-node-qunit
- https://nodesecurity.io/advisories/796
- Affected files (post npm install):
- node_modules/jquery/dist/jquery.js
- node_modules/jquery/dist/jquery.min.js
- node_modules/jquery/dist/jquery.slim.js
- node_modules/jquery/dist/jquery.slim.min.js
- node_modules/jquery/package.json
Outdated Packages
As reported via npm outdated:
No explicit vulnerabilities reported, simply noting for completeness' sake.
Package | Current | Wanted | Latest |
---|---|---|---|
@ wikimedia/mw-node-qunit | 6.0.0 | git | git |
eslint-config-wikimedia | 0.12.0 | 0.12.0 | 0.15.0 |
grunt-banana-checker | 0.7.0 | 0.7.0 | 0.8.1 |
grunt-eslint | 21.0.0 | 21.0.0 | 22.0.0 |
grunt-stylelint | 0.11.1 | 0.11.1 | 0.12.0 |
oojs | 2.2.2 | 2.2.2 | 3.0.0 |
stylelint | 9.10.1 | 9.10.1 | 11.1.1 |
stylelint-config-wikimedia | 0.6.0 | 0.6.0 | 0.7.0 |