No-one is immune

I recently ran into the unsolvable issue that if you ran an npm audit on a React or Angular framework project, it would give back an error because of this CVE. Now the solution was to go to a lower dependency for one of the scripts, but that lower dependency had other high vulnerabilities and so you were in an endless cycle and could not fix it.

Workaround

Basically just turned off npm audit for now, or increase the audit level to critical instead of just high.


Update

The issue is resolved now because the frameworks released a minor update addressing this.


Problem

Sometimes you just run into the fact that major frameworks cannot run fast enough because of so many nested dependencies. The tree graph of the dependencies could rival Yggdrasil. Do not be lulled into a false sense of security thinking these frameworks automatically provide the best of the best security.

Because of all these small moving parts working together to create a complex machination it means the attack surface is quite large actually. It also opens up the multitude of possible so-called supply chain attacks.

That is where you do not attack the main framework but a package that is used somewhere along the chain in order to create the bigger framework.

#devops #secops #devsecops