Skip to content

[OSS] Critical severity vulnerability #2195

New issue
New issue
Closed
#2253
Closed
[OSS] Critical severity vulnerability#2195
#2253
Assignees
philljenkinstombrunet
Labels
T70karma-accessibility-checkerIssues in the karma-accessibility-checker componentuser-reportedIssues identified outside of the core team
@judith9209

Description

@judith9209
judith9209
opened on Feb 10, 2025

Describe the bug
I am trying to integrate karma-accessibility-checker 3.1.78 in my project where Whitesource is enabled in pipeline.

To Reproduce
Steps to reproduce the behavior:

  1. run npm install in root folder of karma-accessibility-checker
  2. This will generate the package-lock.json that includes 9 entries that are listed in national vulnerability database
<style> </style>
  Up to (excluding) National vulnerability database
hawk 9.0.1 https://nvd.nist.gov/vuln/detail/CVE-2022-29167
hoek 5.0.3 https://nvd.nist.gov/vuln/detail/CVE-2018-3728
requestretry 7.0.0 https://nvd.nist.gov/vuln/detail/CVE-2022-0654
cryptiles 4.1.2 https://nvd.nist.gov/vuln/detail/CVE-2018-1000620
request 2.88.1 https://nvd.nist.gov/vuln/detail/CVE-2023-28155
tunnel-agent   Received as well whitesource violation, however cannot find the link in nvd
shelljs 0.8.5 https://nvd.nist.gov/vuln/detail/CVE-2022-0144
tough-cookie 4.1.3 https://nvd.nist.gov/vuln/detail/CVE-2023-26136
qs 6.10.3 https://nvd.nist.gov/vuln/detail/CVE-2022-24999
bl 4.0.3 https://nvd.nist.gov/vuln/detail/CVE-2020-8244

Expected behavior
The project should use dependencies that are not listed in national vulnerability database.

Additional context
I am currently stuck integrating karma-accessibility-checker in my project as we have security checks enabled. I have added multiple dependencies like hawk in my project with a newer version to convince that the older version with the violation is not used. As https://github.com/request/request is deprecated and all versions are listed as security issue this is currently the reason why I cannot use karma-accessibility-checker.

Metadata

Metadata

Assignees

Labels

T70karma-accessibility-checkerIssues in the karma-accessibility-checker componentuser-reportedIssues identified outside of the core team

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions