Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / phosphor-webui / 1548677275eb39a0c29d188bcb3acd0515236dd4^! / . / package.json
commit1548677275eb39a0c29d188bcb3acd0515236dd4[log] [tgz]
authorGunnar Mills <gmills@us.ibm.com>Fri May 03 15:53:06 2019 -0500
committerGunnar Mills <gmills@us.ibm.com>Fri May 03 16:53:52 2019 -0500
tree7ed4de2821e720a214df58a05b10fa046d03d281
parent615a2f896951643ae32e35b308e9bff649caf331 [diff] [blame]
NPM update to partially address vulnerability

Observed this security vulnerability in the phosphor-webui
repo on GitHub:
"We found a potential security vulnerability in one of your
dependencies.
 tar
 Upgrade tar to version 4.4.2 or later."

See https://nvd.nist.gov/vuln/detail/CVE-2018-20834
for more information.
Ran "NPM update" && "npm install tar@latest --save".

Unfortunately, this only addresses one of the packages
that uses tar, the other, node-sass, has not published a
release to fix this vulnerability.
See https://github.com/sass/node-sass/issues/2625
Not a easy fix for node-sass.

Opened
https://github.com/openbmc/phosphor-webui/issues/85
to track this work.

Tested: Built the GUI and loaded it on a Witherspoon. No
        regressions observed.

Change-Id: I9e06d77a03dff4a3d12f472fd18671cc8c41fcd4
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>

diff --git a/package.json b/package.json
index d16477d..faf47a3 100644
--- a/package.json
+++ b/package.json

@@ -44,8 +44,8 @@
   },
   "peerDependencies": {},
   "devDependencies": {
-    "@babel/core": "^7.2.2",
-    "@babel/preset-env": "^7.3.1",
+    "@babel/core": "^7.4.4",
+    "@babel/preset-env": "^7.4.4",
     "angular-mocks": "1.7.3",
     "assets-webpack-plugin": "3.9.6",
     "autoprefixer": "9.1.5",
@@ -66,7 +66,7 @@
     "html-webpack-plugin": "^3.2.0",
     "ignore-assets-webpack-plugin": "^2.0.1",
     "mini-css-extract-plugin": "^0.4.5",
-    "node-sass": "^4.11.0",
+    "node-sass": "^4.12.0",
     "null-loader": "^0.1.1",
     "raw-loader": "^0.5.1",
     "rimraf": "^2.6.3",