This repository was archived by the owner on Jan 7, 2022. It is now read-only.
Dependabot alerts #823
Description
This task is to sum up the progress of upgrading/removing vulnerable versions of packages OR keep information why we can't upgrade them.
Current vulnerabilities
Waggle:
- lodash < 4.17.21 (blocked by orbitdb - lodash is dependency of libp2p)
- hosted-git-info < 2.8.9 (blocked by eslint-plugin-import but they plan to remove the dependency: Security audit fails because of hosted-git-info vulnerability import-js/eslint-plugin-import#2048)
- xmlhttprequest-ssl < 1.6.2 (blocked by orbitdb - lodash is dependency of ipfs)
- private-ip < 2.0.0 (blocked by orbitdb - lodash is dependency of ipfs - Upgrade js-ipfs -> private-ip versions < 2.0.0 are vulnerable to SSRF attacks orbitdb/orbitdb#882)
- node-forge < 0.10.0 (blocked by orbitdb)
ecstatic < 4.1.3(dependency of http-server - I removed http-server because we don't use it anyway)- normalize-url <4.5.1 (blocked by orbitdb, dependency of ipfs)
ZbayLite
sanitize-html < 2.3.2(version updated)