Known Vulnerabilities with Liferay Fjord Theme and 1975 London Theme

The following issue may compromise the security of your Liferay Digital Experience Platform implementation. 

Vulnerability Information

The Liferay Fjord Theme and Liferay 1975 London Theme depend on third party libraries that have known vulnerabilities. These vulnerabilities affect the devDependencies in the build only; the deployed code is not affected.

Affected Products


Update the affected dependencies listed below: 

Liferay Fjord Theme

Affected library Vulnerability information Resolution
tar-2.2.1 CVE-2018-20834, NPM-803 Upgrade to version 2.2.2 or later
websocket-extensions-0.1.3 CVE-2020-7662, NPM-1710 Upgrade to version 0.1.4 or later
minimist-0.0.10 NPM-1179 Upgrade to versions 0.2.1, 1.2.3 or later
stringstream-0.0.5 NPM-664 Upgrade to version 0.0.6 or later
deep-extend-0.4.2 CVE-2018-3750, NPM-612 Update to version 0.5.1 or later
lodash-4.17.5 CVE-2021-23337, CVE-2020-8203, CVE-2020-28500, CVE-2019-10744, CVE-2019-1010266, CVE-2018-16487, NPM-782, NPM-577, NPM-1673, NPM-1523, NPM-1065 Upgrade to version 4.17.21 or later
handlebars-3.0.3 CVE-2021-23383, CVE-2021-23369, CVE-2019-20920, CVE-2015-8861, NPM-755, NPM-61, NPM-1670, NPM-1325, NPM-1324, NPM-1316, NPM-1300, NPM-1164 Upgrade to version 4.7.7 or later
fstream-1.0.11 CVE-2019-13173, NPM-886 Upgrade to version 1.0.12 or later
extend-3.0.1 NPM-996 Upgrade to version 3.0.2 or later
y18n-3.2.1 NPM-1654 Upgrade to version 3.2.2, 4.0.1, 5.0.5 or later
hosted-git-info-2.6.0 CVE-2021-23362, NPM-1677 Upgrade to version 2.8.9, 3.0.8 or later
js-yaml-3.11.0 NPM-813, NPM-788 Upgrade to version 3.13.1
mixin-deep-1.3.1 CVE-2019-10746, NPM-1013 Upgrade to version 1.3.2 or later
set-value-0.4.3 NPM-1012 Upgrade to version 2.0.1 or later
uglify-js-2.3.6 CVE-2015-8858, CVE-2015-8857, NPM-48, NPM-49 Update to version 2.6.0 or later
cli-0.4.5 NPM-95 Update to version 1.0.0 or later
yargs-parser-5.0.0 CVE-2020-7608, NPM-1500 Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later
trim-newlines-1.0.0 NPM-1753 Upgrade to versions 3.0.1 or 4.0.1 or later
diff-1.4.0 NPM-1631 Upgrade to 3.5.0 or later
concat-with-sourcemaps-1.0.5 NPM-644 Update to version 1.0.6 or later
cryptiles-3.1.2 CVE-2018-1000620, NPM-720, NPM-1464 Update to version 4.1.2 or later
node-sass-3.13.1 CVE-2020-24025, NPM-961 Upgrade to version 4.13.1 or later

Liferay 1975 London Theme

Affected library Vulnerability information Resolution
ua-parser-js-0.7.17 NPM-1679 Upgrade to version 0.7.24 or later
xmlhttprequest-ssl-1.5.3 NPM-1746, NPM-1665 Upgrade to version 1.6.2 or later
http-proxy-1.16.2 NPM-1486 Upgrade to version 1.18.1 or later
bl-0.9.5 NPM-1555 Upgrade to version 4.0.3, 3.0.1, 2.2.1 or 1.2.3 NPM-1609 Update to version 2.4.0 or later
node-fetch-1.7.3 NPM-1556 Upgrade to version 2.6.1 or 3.0.0-beta.9
adm-zip-0.4.7 CVE-2018-1002204, NPM-994, NPM-681 Update to version 0.4.9 or later
parsejson-0.0.3 NPM-528 This issue has not been fixed. It is the latest version.
marked-0.3.6 CVE-2017-1000427, NPM-531 Update to version 0.3.9 or later
https-proxy-agent-1.0.0 NPM-593, NPM-1184 Upgrade to version 3.0.0 or 2.2.3
braces-0.1.5 NPM-786 Upgrade to version 2.3.1 or higher
sync-exec-0.5.0 NPM-310 There is currently no direct patch in any newer release
debug-2.2.0 NPM-534 Update to version 2.6.9 or later
acorn-3.3.0 NPM-1488 Upgrade to versions 5.7.4, 6.4.1, 7.1.1 or later
moment-2.0.0 CVE-2017-18214, CVE-2016-4055, NPM-55, NPM-532 Update to version 2.19.3 or later
mime-1.3.6 NPM-535 Update to version 2.0.3 or later
lodash.merge-4.6.0 NPM-1067, NPM-1066 Update to version 4.6.2 or later
deap-1.0.0 CVE-2018-3749, NPM-611 Update to version 1.0.1 or later
growl-1.9.2 NPM-146 Update to version 1.10.2 or later
is-my-json-valid-2.16.0 NPM-572 Update to version 1.4.1, 2.17.2 or later
open-0.0.5 NPM-663 open is now the deprecated opn package. Upgrading to the latest version is likely have unwanted effects since it now has a very different API but will prevent this vulnerability.
ws-1.1.2 NPM-550 Update to version 3.3.1 or later
bower-1.8.0 NPM-776 Update to version 1.8.8 or later
concat-with-sourcemaps-1.0.4 NPM-644 Update to version 1.0.6 or later
Was this article helpful?
0 out of 0 found this helpful