Have you noticed recently that when you run npm install
on your PCF projects, you get a high severity vulnerabilities error (or maybe you were spammed by the GitHub 🤖 dependabot like I was)?
Luckily, it's not necessarily a reason to panic! 😅
As of the time of writing this (14th April 2023), there is currently a vulnerability in the xml2js
package which pcf-scripts
depends on, so if you run npm audit
, you will see something like:
# npm audit report
xml2js <0.5.0
Severity: high
xml2js is vulnerable to prototype pollution - https://github.com/advisories/GHSA-776f-qx25-q3cc
No fix available
node_modules/xml2js
pcf-scripts *
Depends on vulnerable versions of xml2js
node_modules/pcf-scripts
pcf-start *
Depends on vulnerable versions of xml2js
node_modules/pcf-start
3 high severity vulnerabilities
This error is not as scary as it sounds and the good news is that the pcf-scripts
package is only used a build-time and it doesn't get used at run-time. The xml2js
package doesn't affect the functionality or security of your PCF control at all (unless you are using it in your own code of course!) since it is not included in your final PCF bundle.js
when used by the pcf-scripts
package. 🙌
So how do you fix this? 🤔
Well until the owner of the xml2js
package releases a new version or the pcf-scripts
package is updated not to require it, there isn't anything you can do!
Since pcf-scripts
is included in the devDependencies section of the packages.json and is only used for development purposes, the way to determine if you have any issues that will impact your PCF bundle.js is to run the command:
npm audit --omit=dev
This will check only the packages that are in the dependencies section, and you should get the message:
found 0 vulnerabilities
Congratulations! 🥳