Skip to content

Fix CVE-2021-23566 in nanoid before 3.1.31 #6826

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jan 25, 2022
Merged

Fix CVE-2021-23566 in nanoid before 3.1.31 #6826

merged 1 commit into from
Jan 25, 2022
+15 −16

Conversation

pgorny
Copy link
Contributor

@pgorny pgorny commented Jan 20, 2022

Unfortunately, nanoid is affected by CVE-2021-23566, but testcafe pins nanoid@^1.0.1 and due to semver it means it will not update automatically. Whilst the issue is small for a testing solution, the issue does bubble up to all consuming projecs, tainiting them.

For this issue to be fully addressed the corresponding PR in testcafe-browser-toosl needs to also be merged, that project to be updated and testcafe dependency on it needs to be bumped up.

@pgorny pgorny requested a review from AndreyBelym as a code owner January 20, 2022 14:01
@need-response-app need-response-app bot added the STATE: Need response An issue that requires a response or attention from the team. label Jan 20, 2022
@pgorny pgorny temporarily deployed to authentication January 20, 2022 14:01 Inactive
@pgorny pgorny temporarily deployed to CI January 21, 2022 08:29 Inactive
@viktoria2506 viktoria2506 added the STATE: PR Review Pending A note that this PR will be reviewed. label Jan 24, 2022
@miherlosev
Copy link
Collaborator

Hi @pgorny

Thank you for your contribution to TestCafe. Please rebase this PR to fix tests.

@need-response-app need-response-app bot removed the STATE: Need response An issue that requires a response or attention from the team. label Jan 24, 2022
@miherlosev miherlosev self-requested a review January 24, 2022 12:45
@pgorny pgorny temporarily deployed to authentication January 24, 2022 12:48 Inactive
@miherlosev miherlosev removed the STATE: PR Review Pending A note that this PR will be reviewed. label Jan 24, 2022
@pgorny pgorny temporarily deployed to CI January 24, 2022 12:49 Inactive
@AndreyBelym
Copy link
Contributor

Looks like we have some compatibility problem with the new nanoid version, I'm trying to fix it ASAP

@AndreyBelym
Copy link
Contributor

I cannot reproduce it locally, BTW tests are passed

@AndreyBelym AndreyBelym merged commit d46a0b9 into DevExpress:master Jan 25, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@miherlosev miherlosev

@AndreyBelym AndreyBelym

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@pgorny @miherlosev @AndreyBelym @viktoria2506