npx lwc-create-app my-app
npm audit
No reported vulnerabilities.
=== npm audit security report ===
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Manual Review โ
โ Some vulnerabilities require your attention to resolve โ
โ โ
โ Visit https://go.npm.me/audit-guide for additional guidance โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Moderate โ Denial of Service โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Package โ js-yaml โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Patched in โ >=3.13.0 โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Dependency of โ lwc-services โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Path โ lwc-services > @lwc/compiler > @lwc/style-compiler > cssnano โ
โ โ > postcss-svgo > svgo > js-yaml โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ More info โ https://npmjs.com/advisories/788 โ
โโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ High โ Code Injection โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Package โ js-yaml โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Patched in โ >=3.13.1 โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Dependency of โ lwc-services โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Path โ lwc-services > @lwc/compiler > @lwc/style-compiler > cssnano โ
โ โ > postcss-svgo > svgo > js-yaml โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ More info โ https://npmjs.com/advisories/813 โ
โโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
found 2 vulnerabilities (1 moderate, 1 high) in 889133 scanned packages
2 vulnerabilities require manual review. See the full report for details.
N/A
Possible Solution
Manually upgrade reported libraries; validate there are no negative impacts.
I think this is covered by https://github.com/salesforce/lwc/commit/1b458656bbee25c9809b0a4fbcfbc9d93782394d, which needs to be released. @ekashida @diervo can you confirm?
No, that change removed an fstream vulnerability. This looks different.
This may be related to the cssnano upgrade that is mentioned in #1216
We have several packages depending on js-yaml 3.12.x, however the security issue is due to arbitrary load of yaml files vis specific method. We should eventually fix this, but I don't see it as a security problem since we don't use nor parse any yaml file as part of any of our code.
I found out after discussing with @diervo that the reason why we can't upgrade cssnano right now is because they dropped support for their synchronous API.
@diervo the code might not be actually used but 1) it doesn't look good especially if you are starting with LWC and you see errors like this and 2) the infosec team most probably disagree with this and I will have a problem putting an app into production.
Is there anything we can do about that?
you are right, and we fixed most of them, will see what we can do about this one without upgrading the world.
+1 is this going to get fixed?
Most helpful comment
you are right, and we fixed most of them, will see what we can do about this one without upgrading the world.