The following issue may compromise the security of your Liferay Digital Experience Platform implementation.
Vulnerability Information
The Liferay Fjord Theme and Liferay 1975 London Theme depend on third party libraries that have known vulnerabilities. These vulnerabilities affect the devDependencies in the build only; the deployed code is not affected.
Affected Products
- Liferay Fjord Theme (for Liferay DXP 7.0)
- Liferay 1975 London Theme (for Liferay Portal 7.0 CE)
Resolution
Update the affected dependencies listed below:
Liferay Fjord Theme
Affected library | Vulnerability information | Resolution |
tar-2.2.1 | CVE-2018-20834, NPM-803 | Upgrade to version 2.2.2 or later |
websocket-extensions-0.1.3 | CVE-2020-7662, NPM-1710 | Upgrade to version 0.1.4 or later |
minimist-0.0.10 | NPM-1179 | Upgrade to versions 0.2.1, 1.2.3 or later |
stringstream-0.0.5 | NPM-664 | Upgrade to version 0.0.6 or later |
deep-extend-0.4.2 | CVE-2018-3750, NPM-612 | Update to version 0.5.1 or later |
lodash-4.17.5 | CVE-2021-23337, CVE-2020-8203, CVE-2020-28500, CVE-2019-10744, CVE-2019-1010266, CVE-2018-16487, NPM-782, NPM-577, NPM-1673, NPM-1523, NPM-1065 | Upgrade to version 4.17.21 or later |
handlebars-3.0.3 | CVE-2021-23383, CVE-2021-23369, CVE-2019-20920, CVE-2015-8861, NPM-755, NPM-61, NPM-1670, NPM-1325, NPM-1324, NPM-1316, NPM-1300, NPM-1164 | Upgrade to version 4.7.7 or later |
fstream-1.0.11 | CVE-2019-13173, NPM-886 | Upgrade to version 1.0.12 or later |
extend-3.0.1 | NPM-996 | Upgrade to version 3.0.2 or later |
y18n-3.2.1 | NPM-1654 | Upgrade to version 3.2.2, 4.0.1, 5.0.5 or later |
hosted-git-info-2.6.0 | CVE-2021-23362, NPM-1677 | Upgrade to version 2.8.9, 3.0.8 or later |
js-yaml-3.11.0 | NPM-813, NPM-788 | Upgrade to version 3.13.1 |
mixin-deep-1.3.1 | CVE-2019-10746, NPM-1013 | Upgrade to version 1.3.2 or later |
set-value-0.4.3 | NPM-1012 | Upgrade to version 2.0.1 or later |
uglify-js-2.3.6 | CVE-2015-8858, CVE-2015-8857, NPM-48, NPM-49 | Update to version 2.6.0 or later |
cli-0.4.5 | NPM-95 | Update to version 1.0.0 or later |
yargs-parser-5.0.0 | CVE-2020-7608, NPM-1500 | Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later |
trim-newlines-1.0.0 | NPM-1753 | Upgrade to versions 3.0.1 or 4.0.1 or later |
diff-1.4.0 | NPM-1631 | Upgrade to 3.5.0 or later |
concat-with-sourcemaps-1.0.5 | NPM-644 | Update to version 1.0.6 or later |
cryptiles-3.1.2 | CVE-2018-1000620, NPM-720, NPM-1464 | Update to version 4.1.2 or later |
node-sass-3.13.1 | CVE-2020-24025, NPM-961 | Upgrade to version 4.13.1 or later |
Liferay 1975 London Theme
Affected library | Vulnerability information | Resolution |
ua-parser-js-0.7.17 | NPM-1679 | Upgrade to version 0.7.24 or later |
xmlhttprequest-ssl-1.5.3 | NPM-1746, NPM-1665 | Upgrade to version 1.6.2 or later |
http-proxy-1.16.2 | NPM-1486 | Upgrade to version 1.18.1 or later |
bl-0.9.5 | NPM-1555 | Upgrade to version 4.0.3, 3.0.1, 2.2.1 or 1.2.3 |
socket.io-1.7.3 | NPM-1609 | Update to version 2.4.0 or later |
node-fetch-1.7.3 | NPM-1556 | Upgrade to version 2.6.1 or 3.0.0-beta.9 |
adm-zip-0.4.7 | CVE-2018-1002204, NPM-994, NPM-681 | Update to version 0.4.9 or later |
parsejson-0.0.3 | NPM-528 | This issue has not been fixed. It is the latest version. |
marked-0.3.6 | CVE-2017-1000427, NPM-531 | Update to version 0.3.9 or later |
https-proxy-agent-1.0.0 | NPM-593, NPM-1184 | Upgrade to version 3.0.0 or 2.2.3 |
braces-0.1.5 | NPM-786 | Upgrade to version 2.3.1 or higher |
sync-exec-0.5.0 | NPM-310 | There is currently no direct patch in any newer release |
debug-2.2.0 | NPM-534 | Update to version 2.6.9 or later |
acorn-3.3.0 | NPM-1488 | Upgrade to versions 5.7.4, 6.4.1, 7.1.1 or later |
moment-2.0.0 | CVE-2017-18214, CVE-2016-4055, NPM-55, NPM-532 | Update to version 2.19.3 or later |
mime-1.3.6 | NPM-535 | Update to version 2.0.3 or later |
lodash.merge-4.6.0 | NPM-1067, NPM-1066 | Update to version 4.6.2 or later |
deap-1.0.0 | CVE-2018-3749, NPM-611 | Update to version 1.0.1 or later |
growl-1.9.2 | NPM-146 | Update to version 1.10.2 or later |
is-my-json-valid-2.16.0 | NPM-572 | Update to version 1.4.1, 2.17.2 or later |
open-0.0.5 | NPM-663 | open is now the deprecated opn package. Upgrading to the latest version is likely have unwanted effects since it now has a very different API but will prevent this vulnerability. |
ws-1.1.2 | NPM-550 | Update to version 3.3.1 or later |
bower-1.8.0 | NPM-776 | Update to version 1.8.8 or later |
concat-with-sourcemaps-1.0.4 | NPM-644 | Update to version 1.0.6 or later |