Security Vulnerabilities (6124) in Ratel dependent modules

Issues Ratel
, , , ,
1

Report a Ratel Bug

Security alerts with npm audit.

What Version of Ratel are you using?

docker pull dgraph/ratel:v21.03.0

What version of Dgraph are you using?

docker pull dgraph/dgraph:v21.03.0

Which Version of the UI are you using

  • Stable
  • Bleeding Edge
  • Local Offline

Have you tried reproducing the issue with the latest release?

git clone git@github.com:dgraph-io/ratel.git

Steps to reproduce the issue (command/config used to run Dgraph).

cd client
npm audit

Expected behaviour and actual result.

I did not expect there to be 5955 high and 169 moderate vulnerabilities in npm modules used by Ratel.

Actual Results

The audit reports:

found 6124 vulnerabilities (169 moderate, 5955 high) in 2889 scanned packages
  run `npm audit fix` to fix 6052 of them.
  37 vulnerabilities require semver-major dependency updates.
  35 vulnerabilities require manual review. See the full report for details.

The full 98,475 line report is in this gist:

The security issues were mainly with these packages that are used by dependent modules:

  • elliptic
  • hosted-git-info
  • immer
  • lodash
  • postcss
  • ssri
  • ua-parser-js
  • urijs
  • url-parse

These modules are picked up by these packages:

  • @babel/cli [dev]
  • @babel/core [dev]
  • @babel/node
  • @babel/plugin-proposal-class-properties [dev]
  • @babel/preset-env [dev]
  • @babel/preset-react [dev]
  • @svgr/webpack [dev]
  • @testing-library/jest-dom [dev]
  • @typescript-eslint/eslint-plugin [dev]
  • @typescript-eslint/parser [dev]
  • babel-eslint [dev]
  • babel-jest [dev]
  • babel-preset-react-app [dev]
  • css-loader [dev]
  • enzyme [dev]
  • eslint [dev]
  • eslint-plugin-flowtype [dev]
  • eslint-plugin-import [dev]
  • eslint-plugin-jest [dev]
  • eslint-plugin-testing-library [dev]
  • html-webpack-plugin [dev]
  • immer
  • jest [dev]
  • jest-circus [dev]
  • jest-resolve [dev]
  • jsdom [dev]
  • node-sass [dev]
  • optimize-css-assets-webpack-plugin [dev]
  • postcss [dev]
  • postcss-flexbugs-fixes [dev]
  • postcss-loader [dev]
  • postcss-normalize [dev]
  • postcss-preset-env [dev]
  • postcss-safe-parser [dev]
  • react-bootstrap
  • react-dev-utils [dev]
  • resolve-url-loader [dev]
  • sw-precache-webpack-plugin [dev]
  • terser-webpack-plugin [dev]
  • webpack [dev]
  • webpack-dev-server [dev]
  • webpack-manifest-plugin [dev]
  • webpack-visualizer-plugin [dev]
  • workbox-webpack-plugin [dev]