By performing a dependency check using owasp 7.0.4 on my project, which uses java for BE and JS for BFE, i got ceveral CVEs noted over 8. One is the json-schema package used by npm. This the packages configuration in the package.json:
dependency:
"json-schema": "^0.4.0"
"npm": "^7.13.0"
when calling the command npm ls json-schema to check json-schema use i got:
+-- [email protected]
+-- [email protected]
| `-- @lerna/[email protected]
| `-- [email protected]
| `-- @npmcli/[email protected]
| `-- [email protected]
| `-- [email protected]
| `-- [email protected]
| `-- [email protected]
| `-- [email protected] deduped
`-- [email protected]
`-- [email protected]
`-- [email protected]
`-- [email protected]
`-- [email protected]
`-- [email protected]
I see that i need to somehow force npm use the latest json-schema version. Can please anyone give me a hint, if this is the right way and how to achieve it?
Problem solved by updating npm to 8.6.0