[JSS 21] Security Vulnerabilities #2083
Description
Describe the Bug
I am using @sitecore-jss/sitecore-jss-react": "^21.1.0", I noticed following vulnerabilities:
Critical Vulnerabilities
- @babel/traverse (<7.23.2): Arbitrary code execution vulnerability. Details
- webpack (5.0.0-alpha.0 - 5.93.0): Cross-realm object access and XSS vulnerabilities. Details Details
High Severity Vulnerabilities
- axios (<=0.29.0 || 1.0.0 - 1.8.1): Multiple vulnerabilities including CSRF and SSRF. Details Details
- body-parser (<1.20.3): Denial of service vulnerability. Details
- braces (<3.0.3): Uncontrolled resource consumption. Details
- canvg (<3.0.11): Prototype pollution vulnerability. Details
- http-proxy-middleware (<=2.0.8): Denial of service and other issues. Details
- nth-check (<2.0.1): Inefficient Regular Expression Complexity. Details
- rollup (<2.79.2): DOM Clobbering Gadget leading to XSS. Details
- send (<0.19.0): Template injection vulnerability. Details
- ws (7.0.0 - 7.5.9 || 8.0.0 - 8.17.0): Denial of Service (DoS) vulnerability. Details
Moderate Severity Vulnerabilities
- @babel/helpers (<7.26.10): Inefficient RegExp complexity. Details
- @babel/runtime (<7.26.10): Inefficient RegExp complexity. Details
- dompurify (<=3.2.3): Prototype pollution and XSS vulnerabilities. Details
- ejs (<3.1.10): Pollution protection issues. Details
- micromatch (<4.0.8): Regular Expression Denial of Service (ReDoS). Details
- nanoid (<3.3.8): Predictable results in ID generation. Details
- serialize-javascript (6.0.0 - 6.0.1): Cross-site Scripting (XSS). Details
I tried to upgrade to 21.1.7 and didn't see at least axios updated
To Reproduce
install @sitecore-jss/sitecore-jss-react 21.1.0
Expected Behavior
Vulnerabilities
Possible Fix
update packages
Provide environment information
- Sitecore Version: 10.3
- JSS Version: 21.1.0
- Browser Name and version: Edge latest version
- Operating System and version (desktop or mobile): Desktop
- Link to your project (if available): Cannot add the link