Make WordPress Core

Opened 4 years ago

Closed 4 years ago

#49840 closed defect (bug) (duplicate)

Twenty Twenty: Usage of outdated package-lock.json poses security risk

Reported by: jeffmatson's profile JeffMatson Owned by: whyisjake's profile whyisjake
Milestone: Priority: normal
Severity: normal Version:
Component: Build/Test Tools Keywords: has-patch needs-testing
Focuses: Cc:


The current version of Twenty Twenty (1.2) contains a package-lock.json file which uses a very old version of minimist which has a known security vulnerability (see: CVE-2020-7598).

Not a valid HackerOne report per policy:

Vulnerabilities in Composer/NPM devDependencies, unless there's a practical way to exploit it remotely.

While not likely to get exploited in the wild unless someone were to push their node_modules to a live site after running tests/builds, it will cause security alerts to go off if monitored.

Attached is a regenerated lockfile which should resolve any issues there.

Attachments (1)

package-lock.json (438.4 KB) - added by JeffMatson 4 years ago.
Lockfile regenerated using the current package.json file.

Download all attachments as: .zip

Change History (5)

4 years ago

Lockfile regenerated using the current package.json file.

#1 @SergeyBiryukov
4 years ago

  • Milestone changed from Awaiting Review to 5.5

This ticket was mentioned in Slack in #core by david.baumwald. View the logs.

4 years ago

#3 @whyisjake
4 years ago

  • Owner set to whyisjake
  • Status changed from new to accepted

#4 @whyisjake
4 years ago

  • Milestone 5.5 deleted
  • Resolution set to duplicate
  • Status changed from accepted to closed

Duplicate of #49768.

Thanks for the ticket @JeffMatson. This was resolved in [47925].

Note: See TracTickets for help on using tickets.