WordPress.org

Make WordPress Core

Opened 7 weeks ago

Last modified 7 weeks ago

#49840 new defect (bug)

Twenty Twenty: Usage of outdated package-lock.json poses security risk

Reported by: JeffMatson Owned by:
Milestone: 5.5 Priority: normal
Severity: normal Version:
Component: Build/Test Tools Keywords: has-patch needs-testing
Focuses: Cc:

Description

The current version of Twenty Twenty (1.2) contains a package-lock.json file which uses a very old version of minimist which has a known security vulnerability (see: CVE-2020-7598).

Not a valid HackerOne report per policy:

Vulnerabilities in Composer/NPM devDependencies, unless there's a practical way to exploit it remotely.

While not likely to get exploited in the wild unless someone were to push their node_modules to a live site after running tests/builds, it will cause security alerts to go off if monitored.

Attached is a regenerated lockfile which should resolve any issues there.

Attachments (1)

package-lock.json (438.4 KB) - added by JeffMatson 7 weeks ago.
Lockfile regenerated using the current package.json file.

Download all attachments as: .zip

Change History (2)

@JeffMatson
7 weeks ago

Lockfile regenerated using the current package.json file.

#1 @SergeyBiryukov
7 weeks ago

  • Milestone changed from Awaiting Review to 5.5
Note: See TracTickets for help on using tickets.