SharePoint Framework 1.8.1 relies on js-yaml@3.9.1 which has a known security vulnerability.

%3CLINGO-SUB%20id%3D%22lingo-sub-555992%22%20slang%3D%22en-US%22%3ESharePoint%20Framework%201.8.1%20relies%20on%20js-yaml%403.9.1%20which%20has%20a%20known%20security%20vulnerability.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-555992%22%20slang%3D%22en-US%22%3E%3CP%3EMy%20organization%20has%20an%20internal%20node%20package%20management%20system.%26nbsp%3B%20No%20code%20with%20known%20security%20vulnerabilities%20can%20be%20uploaded%20to%20that%20repository.%26nbsp%3B%20The%20following%202%20packages%20in%20SPFX%201.8.1%20rely%20on%26nbsp%3Bjs-yaml%403.9.1%2C%20which%20has%20a%20known%20security%20vulnerability.%26nbsp%3B%20Is%20there%20any%20way%20to%20get%20a%20version%20that%20can%20use%20js-yaml%403.13.1%20so%20that%20I%20can%20bring%20it%20in%20for%20use%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22%40microsoft%2Fsp-build-web%22%3A%20%221.8.1%22%2C%3CBR%20%2F%3E%22%40microsoft%2Fsp-webpart-workbench%22%3A%20%221.8.1%22%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-555992%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EDeveloper%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%20Online%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-556008%22%20slang%3D%22en-US%22%3ERe%3A%20SharePoint%20Framework%201.8.1%20relies%20on%20js-yaml%403.9.1%20which%20has%20a%20known%20security%20vulnerability.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-556008%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F182342%22%20target%3D%22_blank%22%3E%40lou%20abbruzzesi%3C%2FA%3E%26nbsp%3BSecurity%20Vulnerabilities%20are%20usually%20handled%20during%20the%20next%20release%20of%20the%20SharePoint%20Framework.%20I%20would%20just%20upgrade%20your%20js-yaml%20package%2C%20I%20don't%20think%20it%20will%20have%20breaking%20changes%20to%20your%20SPFx%201.8.1%20project.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Regular Visitor

My organization has an internal node package management system.  No code with known security vulnerabilities can be uploaded to that repository.  The following 2 packages in SPFX 1.8.1 rely on js-yaml@3.9.1, which has a known security vulnerability.  Is there any way to get a version that can use js-yaml@3.13.1 so that I can bring it in for use? 

 

"@microsoft/sp-build-web": "1.8.1",
"@microsoft/sp-webpart-workbench": "1.8.1",

 

 

0 Replies