Description
@node-red/util is imported into FlowFuse runtime dependencies solely for the helper functions getObjectProperty and settObjectProperty in forge/containers/stub/index.js (ref)
@node-red/util brings several dependencies itself, one of them being jsonata which is being flagged by trivy as a high vuln.
We could ignore this but in the interest of sanitisation, we could simply create our own getObjectProperty/settObjectProperty functions
@hardillb @ppawlowski
Not knowing how trivy deals with alerts and if they can/should be silenced is this the right course of action?
Epic/Story
No response
Have you provided an initial effort estimate for this issue?
I have provided an initial effort estimate
Description
@node-red/utilis imported into FlowFuse runtime dependencies solely for the helper functionsgetObjectPropertyandsettObjectPropertyinforge/containers/stub/index.js(ref)@node-red/utilbrings several dependencies itself, one of them beingjsonatawhich is being flagged by trivy as a high vuln.We could ignore this but in the interest of sanitisation, we could simply create our own getObjectProperty/settObjectProperty functions
@hardillb @ppawlowski
Not knowing how trivy deals with alerts and if they can/should be silenced is this the right course of action?
Epic/Story
No response
Have you provided an initial effort estimate for this issue?
I have provided an initial effort estimate