Yarn.lock Vulnerabilities found in default Hugo Netlify CMS site

I started a new Hugo-powered Netlify CMS site, linked to github, and immediately received warnings of 8 security vulnerabilities due to outdated versions referenced in the yarn.lock file. I’ll post the full list below. Who can fix this on Netlify’s end? What can I do on my end?
I am unfamiliar with yarn and do not have it installed on my system. I’m leery of delving into that as my previous attempts to wrangle npm package updates on behalf of a netlifycms site led to lots of confusion and no clear benefit, and working with yarn seems similar. I chose netlifycms because it seemed simpler to manage, but these warnings have me worried.
Any tips? Warnings below:

Lodash -> 4.17.13
CVE-2019-10744 More information

high severity

Vulnerable versions: < 4.17.13

Patched version: 4.17.13

Affected versions of lodash are vulnerable to Prototype Pollution.
The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

CVE-2018-16487 More information

low severity

Vulnerable versions: < 4.17.11

Patched version: 4.17.11

A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.

CVE-2018-3721 More information

moderate severity

Vulnerable versions: < 4.17.5

Patched version: 4.17.5

lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of “Object” via proto , causing the addition or modification of an existing property that will exist on all objects.

Minmatch -> 3.0.2
CVE-2016-10540 More information

high severity

Vulnerable versions: < 3.0.2

Patched version: 3.0.2

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the pattern parameter.

jquery -> 3.4.0
CVE-2019-11358 More information

moderate severity

Vulnerable versions: < 3.4.0

Patched version: 3.4.0

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

axios -> 0.18.1
CVE-2019-10742 More information

high severity

Vulnerable versions: <= 0.18.0

Patched version: 0.18.1

Axios up to and including 0.18.0 allows attackers to cause a denial of service (application crash) by continuing to accepting content after maxContentLength is exceeded.

ja-yaml -> 3.13.1
WS-2019-0032 More information

moderate severity

Vulnerable versions: < 3.13.0

Patched version: 3.13.0

Versions js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.

Vulnerability data by WhiteSource

WS-2019-0063 More information

high severity

Vulnerable versions: < 3.13.1

Patched version: 3.13.1

Js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file.

mem -> 4.0.0
WS-2018-0236 More information

moderate severity

Vulnerable versions: < 4.0.0

Patched version: 4.0.0

In nodejs-mem before version 4.0.0 there is a memory leak due to old results not being removed from the cache despite reaching maxAge. Exploitation of this can lead to exhaustion of memory and subsequent denial of service.

lodash.template -> 4.5.0
CVE-2019-10744 More information

high severity

Vulnerable versions: < 4.5.0

Patched version: 4.5.0

Affected versions of lodash are vulnerable to Prototype Pollution.
The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

lodash.merge -> 4.6.2
CVE-2019-10744 More information

high severity

Vulnerable versions: < 4.6.2

Patched version: 4.6.2

Affected versions of lodash are vulnerable to Prototype Pollution.
The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

1 Like

I’m showing the same issue. I wonder if any Mods can chime in on this??

1 Like

Working on upgrading dependencies now, a lot of security issues in npm packages have popped up in the last two weeks.

Update: the Hugo template is now updated, no security warnings.