Vulnerability on corteza package

Hi,

I launched a vulnerability analyze on packages used in your source code and found 8 problems (moreless on 4 package only) :

axios 0.21.1 NVD CVE-2021-3749 High
postcss 6.0.23 NVD CVE-2021-23382 Medium
postcss 7.0.21 NVD CVE-2021-23382 Medium
postcss 7.0.21 OSSINDEX e3f310ed-219c-4087-aa58-8425b13c3ec5 High
postcss 7.0.21 NVD CVE-2021-23368 Medium
axios 0.15.3 NVD CVE-2019-10742 High
axios 0.15.3 OSSINDEX 293be0b3-9672-4e36-b530-44be7f592d0a High
axios 0.15.3 NVD CVE-2021-3749 High

How can we manage package upgrade to be sure do not have vulnerability on Corteza ?

Thanks !

Mike

I’ve opened up a ticket for us to get it resolved.
What branch was this tested on? If you are able, feel free to open up a PR to address these.

Thanks @tjerman !

I tested on 2021.9.8, last version stable (released) for me? But I can also test on others if you want.

Hi,

Do you have any update about that security point ? considered for us as prioritary due to security reason. We tried to check on source code but we are not expert… and it looks very complicated to update package on corteza directly.

Best

Hi Mike,
If you don’t mind sharing what tool you used for the scanning? Thanks.

For version 2022.3.3 packages were updated so some of the vulnerabilities are fixed.
Others are from dependencies that we cannot replace yet.