large number of deprecated packages installed via npm install -- including multiple CVEs

[rossgrady]

Do y'all have a published policy about how you manage your NPM dependencies, including an upgrade cadence, etc?

When I clone the main branch of the repo & do an npm install I see a lot of deprecation warnings. And when I run a Mend scan against the resulting directory with its node modules populated, there are quite a few high CVEs in transitive dependencies.

[rossgrady]

So, for example, there is a CVE for postcss version 5.2.18 -- when I do npm list [email protected] this is the tree it returns:

└─┬ @rancher/[email protected]
  └─┬ [email protected]
    └─┬ [email protected]
      └── [email protected] 

[jandubois]

There is no published policy, but in general we run dependabot and update modules whenever possible, especially if they include CVE fixes.

In this particular instance the fixes for postcss are only available in [email protected] or [email protected]. Unfortunately these are incompatible with the current version of Vue, and upgrading Vue will require some major refactoring. Since Rancher Desktop is using components from other Rancher projects, this needs to be coordinated across those teams.

On the mitigating side, postcss is only used during the build process and not at runtime, so the vulnerability should not be a concern for the end-user.

Even in other cases, vulnerabilities that would be a concern in a web application may not be exploitable against a local Electron app, which is running with regular user privileges and not accessible from outside the machine.

[rossgrady]

Thanks for the followup & the detailed explanation! This was very helpful. (also, side note, I definitely feel the pain w/r/t Vue & its dependencies!)