0049377: nexoprovider module pacakge.json semver should be reviewed and package-lock.json should be updated

Openbravo Issue Tracking System - Retail Modules

View Issue Details

Project

Category

View Status

Date Submitted

Last Update

0049377

Retail Modules

Nexo Implementation

public

2022-05-23 15:22

2022-06-27 17:15

Reporter

shuehner

Assigned To

adrianromero

Priority

normal

Severity

major

Reproducibility

have not tried

Status

closed

Resolution

fixed

Platform

OS Version

Product Version

Target Version

Fixed in Version

Merge Request Status

Review Assigned To

OBNetwork customer

Support ticket

Regression level

Regression date

Regression introduced in release

Regression introduced by commit

Triggers an Emergency Pack

Summary

0049377: nexoprovider module pacakge.json semver should be reviewed and package-lock.json should be updated

Description

a.) package.json of nexoprovider module hardcodes versions of its dependencies very strictly.

That should be reviewed and unless special reason exists more typical ^ semver instead of = should be used.

JSONIX part is managed in the related design defect https://issues.openbravo.com/view.php?id=49609 [^]

b.1) npm audit issues (easy)
run "npm audit fix"

b.2) npm audit issues
xmldom avoiding old versions is still not possible as depended upon by jsonix@3.0.0

c.) jsonix@3.0.0 contains jsonix-schema-compiler-full.jar including outdated other libraries
jsonix-schema-compiler-full.jar (shaded: commons-beanutils:commons-beanutils:1.9.2)
jsonix-schema-compiler-full.jar (shaded: commons-collections:commons-collections:3.2.1)

Note:
- jsonix upstream seems to not have released a new version >3.0.0 yet

Steps To Reproduce

run npm audit
run owasp-dependency check with "npm install" done before in the module

Proposed Solution

Additional Information