Strapi 3.6.5 vulnerabilities

System Information
  • Strapi Version: 3.6.5
  • Operating System: macOS
  • Database: mysql
  • Node Version: v14.15.5
  • NPM Version: 6.14.11
  • Yarn Version: -

Hi, I’ve been preparing a big project for my company and am almost ready to deploy. However, my colleagues and me are worried about the vulnerabilities it currently has because almost all of them are high priority.

found 44 vulnerabilities (2 moderate, 42 high) in 1839 scanned packages

npm audit fix obviously doesn’t fix any of them.

Many of them are from the package property-expr. Anyway, because they all are dependencies of strapi and/or its plugins I can’t update them and would like to ask if you could check to see if by the next update you could update them.

Thank you. By the way I love strapi and really think you guys are doing a marvellous job.

I can’t insert the list because it has too many characters. So here is a link to it: https://workflowy.com/s/vulnerabilities-stra/DMzLzFMujB6Wmsvt

I’ll share a link to this issue comment:

The problem with the npm vuln scan system is it only takes into account 1 factor out of 3:

  • Risk (npm gives you the risk)
  • Probability/Likelyhood
  • Impact

In the vulnerabilities listed in that audit, while they all show high risk their impact is basically nothing because we don’t use the vulnerable parts of the code and the probability is functionally impossible. (one of them was a prototype pollution in a CSS package which is “what in the heck?” type of moment.

On that note, I’ve already opened (and one has been merged) to fix most of them:

Though there is honestly a much easier way to fix them if you use yarn instead of npm (which we recommend), by that I mean you should never use npm audit fix; like ever.

"resolutions": {
    "yup": "^0.32.9",
    "lodash": "4.17.21"
  },

The remaining 3 are functionally impossible/no impact both in terms of likelihood and impact

Okay, thank you very much for the quick response!
I’ll keep in mind your recommendations going forward.