[wp-trac] [WordPress Trac] #49840: Twenty Twenty: Usage of outdated package-lock.json poses security risk
WordPress Trac
noreply at wordpress.org
Tue Apr 7 16:23:06 UTC 2020
#49840: Twenty Twenty: Usage of outdated package-lock.json poses security risk
------------------------------+-------------------------------------
Reporter: JeffMatson | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Build/Test Tools | Version:
Severity: normal | Keywords: has-patch needs-testing
Focuses: |
------------------------------+-------------------------------------
The current version of Twenty Twenty (1.2) contains a `package-lock.json`
file which uses a very old version of `minimist` which has a known
security vulnerability (see: CVE-2020-7598).
Not a valid HackerOne report per policy:
> Vulnerabilities in Composer/NPM devDependencies, unless there's a
practical way to exploit it remotely.
While not likely to get exploited in the wild unless someone were to push
their `node_modules` to a live site after running tests/builds, it will
cause security alerts to go off if monitored.
Attached is a regenerated lockfile which should resolve any issues there.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/49840>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list