Context Navigation

← Previous Ticket
Next Ticket →

#49840 closed defect (bug) (duplicate)

Twenty Twenty: Usage of outdated package-lock.json poses security risk

Reported by:	JeffMatson	Owned by:	whyisjake
Milestone:		Priority:	normal
Severity:	normal	Version:
Component:	Build/Test Tools	Keywords:	has-patch needs-testing
Focuses:		Cc:

Description

The current version of Twenty Twenty (1.2) contains a package-lock.json file which uses a very old version of minimist which has a known security vulnerability (see: CVE-2020-7598).

Not a valid HackerOne report per policy:

Vulnerabilities in Composer/NPM devDependencies, unless there's a practical way to exploit it remotely.

While not likely to get exploited in the wild unless someone were to push their node_modules to a live site after running tests/builds, it will cause security alerts to go off if monitored.

Attached is a regenerated lockfile which should resolve any issues there.

Attachments (1)

package-lock.json (438.4 KB) - added by JeffMatson 6 years ago.: Lockfile regenerated using the current package.json file.

Download all attachments as: .zip

Change History (5)

@JeffMatson
6 years ago

Attachment package-lock.json added

Lockfile regenerated using the current package.json file.

#1 @SergeyBiryukov
6 years ago

Milestone changed from Awaiting Review to 5.5

This ticket was mentioned in Slack in #core by david.baumwald. View the logs.

6 years ago

#3 @whyisjake
6 years ago

Owner set to whyisjake
Status changed from new to accepted

#4 @whyisjake
6 years ago

Milestone 5.5 deleted
Resolution set to duplicate
Status changed from accepted to closed

Duplicate of #49768.

Thanks for the ticket @JeffMatson. This was resolved in [47925].

Note: See TracTickets for help on using tickets.

Trac UI Preferences

Download in other formats:

Make WordPress Core