According to scanners, @carbon/telemetry has vulnerabilities coming from lodash and glob-parent

[abbeyhrt]

Over in Cloud PAL, we've been getting some issues about security vulnerabilities coming from lodash and glop-parent,
https://github.ibm.com/ibmcloud/pal/issues/3893
https://github.ibm.com/ibmcloud/pal/issues/4501

Are these vulnerabilities applicable to the way that @carbon/telemetry is used and uses lodash and glob-parent? If they aren't, what would be a good way for us to assure our users that these vulnerability aren't a cause for concern? I appreciate any info you all can provide!

Thank you!

[joshblack]

Hi @abbeyhrt! 👋

This is a great question and I think applies to any CVE vulnerabilities that get flagged through tooling or commands like npm audit.

In general, these warnings are coming from a development dependency when @carbon/telemetry is included. As a result, they can be considered false positives because none of the code will end up in a build. Instead, these dependencies are used for tooling in CI environments and are never brought into JavaScript code and subsequently exploited.

There was a similar thread on the create-react-app project that we based this response on. Specifically this comment and the one below: facebook/create-react-app#8529 (comment)

In it, Dan also recommends a way to correct these vulnerabilities in transitive dependencies if the false positives are causing an issue in your deployment pipeline.

I will add that if there is a security vulnerability that does appear in the code with how it is used in CI or will impact a user, we will always want to hear about it and will immediately address it. However, that doesn't seem to be the case here.

Hope this helps!

[abbeyhrt]

Thanks for your response @joshblack! Just to be sure, is this also applicable to the ReDoS vulnerability detected it normalize-url through got?

[joshblack]

@abbeyhrt it definitely should be but this is probably project-specific. Happy to take a look into any specifics for teams asking about it!