Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-72014

Update grunt and some components to avoid some security reports

    XMLWordPrintable

Details

    Description

      Since some weeks ago, GH's dependabot is telling as about a couple of security problems with our core nodejs stuff.

      The problem (security-wise) is minor because we only use nodejs and composer as development dependencies, not for running the sites.

      Still, it would be better to be clean of those security potential risks and reports.

      Current reports are:

      1) grunt package: High severity: CVE-2020-7729

      Vulnerable versions: < 1.3.0
      Patched version: 1.3.0
      The package grunt before 1.3.0 are vulnerable to Arbitrary Code Execution due to the default usage of the function load() instead of its secure replacement safeLoad() of the package js-yaml inside grunt.file.readYAML.

      2) xmldom package: Low severity: GHSA-h6q6-9hqw-rwfv

      Vulnerable versions: < 0.5.0
      Patched version: 0.5.0
      Impact

      xmldom versions 0.4.0 and older do not correctly preserve system identifiers, FPIs or namespaces when repeatedly parsing and serializing maliciously crafted documents.

      This may lead to unexpected syntactic changes during XML processing in some downstream applications.

      Patches

      Update to 0.5.0 (once it is released)

      Attachments

        Issue Links

          Activity

            People

              stronk7 Eloy Lafuente (stronk7)
              stronk7 Eloy Lafuente (stronk7)
              Sara Arjona (@sarjona) Sara Arjona (@sarjona)
              Andrew Lyons Andrew Lyons
              Amaia Anabitarte Amaia Anabitarte
              Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Sujith Haridasan, Andrew Lyons, Huong Nguyen, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:
                13/Sep/21

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 4 hours, 45 minutes
                  4h 45m