[Systemlibarian University St.Gallen]

Hello
I released a new version of the ‘Copy User Roles’ CloudApp (https://github.com/HSG-Library/alma-copy-user-roles), but it gets rejected with the following message:

> Your Cloud App submission from hsg-library/alma-copy-user-roles failed our security audit. ‘npm audit’ reported 2 critical vulnerabilities. Please resolve these vulnerabilities and resubmit your Cloud App. Thank you.

Since this app has no dependencies other than the ones generated at ‘eca init’, I’m not sure how I should resolve the vulnerabilities (see https://github.com/HSG-Library/alma-copy-user-roles/blob/main/package.json).

‘eca update’ tells me ‘Nothing to update’, im using v1.4.3.

Thank you for helping me with this.

br
Jonas

[Mark Gobat]

You can run an “npm audit” in your Cloud App development directory to see which critical vulnerabilities are preventing your Cloud App from being published.

We understand that updating our own dependencies in the Ex Libris Cloud App SDK is the best solution for these critical vulnerabilities, and we are investigating ways to improve our process for implementing such updates.

[Systemlibarian University St.Gallen]

Hi Mark, thank you for the help.

Just in case some one else encounters a similar issue. The reason why the critical issues did not show up on my machine was, that I was using node v16 with npm v8. When I switched to node v13 with npm v6, the mentioned 2 critical vulnerabilities showed up.

To prevent such issues in the future I added a Github Action which checks for critical vulnerabilities and performs an ‘eca build’ on push to Github (https://github.com/HSG-Library/alma-copy-user-roles/blob/develop/.github/workflows/check_and_build.yml)

br
Jonas

[Author]

Posts