Hi, I’ve been preparing a big project for my company and am almost ready to deploy. However, my colleagues and me are worried about the vulnerabilities it currently has because almost all of them are high priority.
found 44 vulnerabilities (2 moderate, 42 high) in 1839 scanned packages
npm audit fix obviously doesn’t fix any of them.
Many of them are from the package property-expr. Anyway, because they all are dependencies of strapi and/or its plugins I can’t update them and would like to ask if you could check to see if by the next update you could update them.
Thank you. By the way I love strapi and really think you guys are doing a marvellous job.
The problem with the npm vuln scan system is it only takes into account 1 factor out of 3:
Risk (npm gives you the risk)
Probability/Likelyhood
Impact
In the vulnerabilities listed in that audit, while they all show high risk their impact is basically nothing because we don’t use the vulnerable parts of the code and the probability is functionally impossible. (one of them was a prototype pollution in a CSS package which is “what in the heck?” type of moment.
On that note, I’ve already opened (and one has been merged) to fix most of them:
Though there is honestly a much easier way to fix them if you use yarn instead of npm (which we recommend), by that I mean you should never usenpm audit fix; like ever.