ember-cli icon indicating copy to clipboard operation
ember-cli copied to clipboard
verified publisher icon ember-cli

Security vulnerability with `braces` package

Open kstinson14 opened this issue 1 year ago • 3 comments

We're running into security vulnerabilities from <v3.0.3 versions of the braces package. Checking out our dependency chain, it looks like it should be fixed if

  • broccoli updates sane (there already exists a PR to do so) and then ember-cli pulls in the update.
  • ember-cli-dependency-checker updates find-yarn-workspace-root to v2.0.0. Screenshot 2024-06-20 at 3 01 53 PM

kstinson14 avatar Jun 20 '24 19:06 kstinson14

In the meantime, you can use npm overrides to solve this. It is also worth noting that this code only runs in development.

kategengler avatar Jun 25 '24 15:06 kategengler

@kategengler ember has such a deep dependency tree and old packages that have not been updated but are used ubiquitously are becoming a liability. Overrides are an option but have inherent risk, and corporate security teams don't always care about the distinction between dev/prod deps. The PR that is mentioned above I opened a year ago and broccoli which is still core to ember has a lot of really old deps. This could be helped with dependabot etc on old repos that may not need active dev but are unavoidable in the ecosystem.. its consuming non trivial engineering time on our team to work around vulnerabilities in the ember ecosystem! Hoping to be helpful in any way I can but want to call out a real issue.

LucasHillDex avatar Mar 20 '25 19:03 LucasHillDex

I understand. However, we've chosen to move away from broccoli with embroider and our efforts have focused there.

I do not have access to broccoli to merge or release -- it looks like @ef4 does.

kategengler avatar Mar 20 '25 20:03 kategengler