Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[PLAT-12017] lodash.template | CVE-2021-23337 #2143

Merged
merged 2 commits into from
May 21, 2024
Merged

[PLAT-12017] lodash.template | CVE-2021-23337 #2143

merged 2 commits into from
May 21, 2024

Conversation

gingerbenw
Copy link
Member

Goal

Manually override @lerna/conventional-commits to remove vulnerable lodash.template package, resolving CVE-2021-23337

Design

Ideally, we should update the major version of lerna to resolve this and additional security vulnerabilities, but this requires additional work around CI pipelines and is out of scope for this PR.

@github-actions GitHub Actions
Copy link

github-actions bot commented May 17, 2024
edited

@bugsnag/browser bundle size diff

Minified Minfied + Gzipped
Before 43.80 kB 13.43 kB
After 43.80 kB 13.43 kB
± No change No change

code coverage diff

<temporarily disabled>

Generated by 🚫 dangerJS against f5f3679

@gingerbenw gingerbenw force-pushed the PLAT-12017/override-lodash-template branch from e61be15 to f5f3679 Compare May 21, 2024 09:57
@gingerbenw gingerbenw requested a review from djskinner May 21, 2024 10:13
@gingerbenw gingerbenw mentioned this pull request May 21, 2024
Draft
djskinner
djskinner approved these changes May 21, 2024
View reviewed changes
Copy link
Contributor

@djskinner djskinner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

has this completely resolved the alert? I can't remember for sure but I thought CodeQL would report a dependabot alert as resolved back to the PR

@gingerbenw
Copy link
Member Author

gingerbenw commented May 21, 2024
edited

has this completely resolved the alert? I can't remember for sure but I thought CodeQL would report a dependabot alert as resolved back to the PR

I've never seen that before, actually! it might be possible to do with dependabot but I don't think we've got it configured that way. I tend to have to merge these and wait for the next scan to close off the ticket. but I've confirmed using npm why that the vulnerable package is now gone

@gingerbenw gingerbenw merged commit 47ab2a3 into next May 21, 2024
55 checks passed
@gingerbenw gingerbenw deleted the PLAT-12017/override-lodash-template branch May 21, 2024 14:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@djskinner djskinner djskinner approved these changes

@yousif-bugsnag yousif-bugsnag Awaiting requested review from yousif-bugsnag

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@gingerbenw @djskinner