eherbstuc
Forum Replies Created
-
Thank you – I know that it isn’t included in the production release, and isn’t actually causing a vulnerability in production, however it showed up on our codebase vulnerability scans, and isn’t something we want to have to explain to our enterprise clients when they request vulnerability scans of our platform.
Please fix, so I can continue to use GreenShift (which I am a big fan of) in my organization.
I’m well aware of what these security issues are. You are completely wrong that these are a current dependency of wordpress/scripts, they have been patched years ago by wordpress, current wordpress scripts depends on patched version of babel – you are depending on “version”: “22.5.0” of wordpress scripts (check line 4267 of the package-lock.json in greenshiftwoo) which was published 3 years ago.
https://www.npmjs.com/package/@wordpress/scripts/v/22.5.0- This reply was modified 1 year, 3 months ago by eherbstuc.
Any update on this?
For example, “@babel/traverse”: “^7.20.1”, is in the package-lock.json for greenshiftwoo which is impacted by NVD – cve-2023-45133, these should be relatively easy to fix by just upgrading the version in the package-json, but we don’t want to have to do this ourself since we would have to redo it everytime we update a greenshift plugin.
Our GitHub dependabot scan identifies them as issues, while they may not be direct dependencies, they are in the dependency graph as they show up in the package-lock.json in our greenshift plugins.
- This reply was modified 1 year, 4 months ago by eherbstuc.