[MDL-72014] Update grunt and some components to avoid some security reports - Moodle Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 3.9.7, 3.10.4, 3.11, 4.0
Fix Version/s: 3.9.10, 3.10.7, 3.11.3
Component/s: General, JavaScript
Labels:
- release_notes
- security_benefit

Affected Branches:
MOODLE_310_STABLE, MOODLE_311_STABLE, MOODLE_39_STABLE, MOODLE_400_STABLE
Fixed Branches:
MOODLE_310_STABLE, MOODLE_311_STABLE, MOODLE_39_STABLE
Pull from Repository:
https://github.com/stronk7/moodle.git
Pull 3.9 Branch:
~~MDL-72014~~_39
Pull 3.9 Diff URL:
https://github.com/stronk7/moodle/compare/MDL-72014_39~1...MDL-72014_39
Pull 3.11 Branch:
~~MDL-72014~~_311
Pull 3.11 Diff URL:
https://github.com/stronk7/moodle/compare/MDL-72014_311~1...MDL-72014_311
Pull Master Branch:
~~MDL-72014~~
Pull Master Diff URL:
https://github.com/stronk7/moodle/compare/MDL-72014~1...MDL-72014
Testing Instructions:
Hide

Regression testing:

Verify that GHA, Travis and CiBoT are happy
Note: GitHub Actions is unhappy because with PHPUnit, but this can be ignored

For 311_STABLE and master branches: Repeat the testing instructions available @ ~~MDL-68496~~

For all branches: Repeat the testing instructions available @ ~~MDL-67712~~
Show
Regression testing: Verify that GHA, Travis and CiBoT are happy Note: GitHub Actions is unhappy because with PHPUnit, but this can be ignored For 311_STABLE and master branches: Repeat the testing instructions available @ MDL-68496 For all branches: Repeat the testing instructions available @ MDL-67712

Description

Since some weeks ago, GH's dependabot is telling as about a couple of security problems with our core nodejs stuff.

The problem (security-wise) is minor because we only use nodejs and composer as development dependencies, not for running the sites.

Still, it would be better to be clean of those security potential risks and reports.

Current reports are:

1) grunt package: High severity: CVE-2020-7729

Vulnerable versions: < 1.3.0
Patched version: 1.3.0
The package grunt before 1.3.0 are vulnerable to Arbitrary Code Execution due to the default usage of the function load() instead of its secure replacement safeLoad() of the package js-yaml inside grunt.file.readYAML.

2) xmldom package: Low severity: GHSA-h6q6-9hqw-rwfv

Vulnerable versions: < 0.5.0
Patched version: 0.5.0
Impact

xmldom versions 0.4.0 and older do not correctly preserve system identifiers, FPIs or namespaces when repeatedly parsing and serializing maliciously crafted documents.

This may lead to unexpected syntactic changes during XML processing in some downstream applications.

Patches

Update to 0.5.0 (once it is released)

Attachments

Issue Links

caused a regression

MDL-72440 Rebuild npm-shrinkwrap.json (to fix some small inconsistencies)

Closed

Testing discovered

MDL-72261 Check and fix feature files out from tests/behat directories

Open

Activity

People

Assignee:: Eloy Lafuente (stronk7)

Reporter:: Eloy Lafuente (stronk7)

Peer reviewer:: Sara Arjona (@sarjona)

Integrator:: Andrew Lyons

Tester:: Amaia Anabitarte

Participants:: Amaia Anabitarte, Andrew Lyons, CiBoT, Eloy Lafuente (stronk7), Michael Hawkins, Sara Arjona (@sarjona)

Component watchers:: Adrian Greeve, David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo, David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 25/Jun/21 5:54 AM

Updated:: 21/Sep/21 12:43 AM

Resolved:: 27/Aug/21 3:34 PM

Fix Release Date:: 13/Sep/21

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

4h 45m