Opened 4 years ago
Closed 4 years ago
#49840 closed defect (bug) (duplicate)
Twenty Twenty: Usage of outdated package-lock.json poses security risk
Reported by: | JeffMatson | Owned by: | whyisjake |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | |
Component: | Build/Test Tools | Keywords: | has-patch needs-testing |
Focuses: | Cc: |
Description
The current version of Twenty Twenty (1.2) contains a package-lock.json
file which uses a very old version of minimist
which has a known security vulnerability (see: CVE-2020-7598).
Not a valid HackerOne report per policy:
Vulnerabilities in Composer/NPM devDependencies, unless there's a practical way to exploit it remotely.
While not likely to get exploited in the wild unless someone were to push their node_modules
to a live site after running tests/builds, it will cause security alerts to go off if monitored.
Attached is a regenerated lockfile which should resolve any issues there.
Attachments (1)
Change History (5)
This ticket was mentioned in Slack in #core by david.baumwald. View the logs.
4 years ago
Note: See
TracTickets for help on using
tickets.
Lockfile regenerated using the current package.json file.