Fix security vulnerability in package-lock.json

[acaproni]

The security warning has been reported by github: https://github.com/IntegratedAlarmSystem-Group/ias-display/network/dependencies

[sfehlandt]

We upgraded one of the affected packages: jquery.

For the other one we need to upgrade to Angular 6, which was scheduled to be done for Release 4.
Follow up on: #40

[sfehlandt]

Current status
Unfortunately there is not much we can do about this, since the affected libraries are dependencies of dependencies, and we cannot control which versions of their dependencies our dependencies use.

The affected libraries were fixed and their dependants were updates accordingly up to "request v2.83".

The problem is that there are still 2 packages in our dependency tree using versions of "request" prior to 2.83:

• node-sass: We are using their latest version, 4.9.0, which uses request 2.79. Currently the team is working on v5 which will use request 2.85. This is not merged yet because it will loose compatibility with node < 4, and hence it will be done for the next non-backwards-compatible release (v5)

• loggly: Here the dependecy is lower in the tree: karma@2.0.2 -> logs4js@2.8.0 -> loggly@1.1.1. The problem is that loggly@1.1.1 is still using request 2.75. The project has not been updated in 2 years. So there is not much hope this will be fixed any time soon.

The bright side
These are only "devDependencies", which mean they are only used for either testing or building the application and not in runtime. Specifically, the code of these dependencies does not go in the final application, it will not be in the docker images, and thus it will not be an issue for the production environment.

Next Steps

• Wait until node-sass is updated: Security issue in dependencies sass/node-sass#2355

• Wait until loggly is updated: Update "request" dependency to latest version to solve "stringstream" sub-dependency security issue winstonjs/node-loggly#78, Dependent Lib: Request should upgrade to newer version winstonjs/node-loggly#71

  • Wait until log4js is updated after loggly: Loggly security issues log4js-node/log4js-node#716
  • Wait until karma is updated after log4js: Karma Dependencies Security Vulnerabilities (NPM Audit) karma-runner/karma#2994

Since this is out of our control we suggest to keep this issue open until the dependencies are updated.
This issue will be removed from the Release 4 milestone: https://github.com/IntegratedAlarmSystem-Group/ias-display/milestone/4

[sfehlandt]

Update:
node-sass and log4js have been updated. We only need to wait for karma to update the version of log4js: karma-runner/karma#2994