Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: bump version of minimatch due to security issue PRISMA-2022-0039 #15774

Merged
merged 2 commits into from May 6, 2022
Merged

chore: bump version of minimatch due to security issue PRISMA-2022-0039 #15774

merged 2 commits into from May 6, 2022

Conversation

opravil-jan
Copy link
Contributor

@opravil-jan opravil-jan commented Apr 11, 2022
edited

Prerequisites checklist

What is the purpose of this pull request? (put an "X" next to an item)

[ ] Documentation update
[ ] Bug fix (template)
[ ] New rule (template)
[ ] Changes an existing rule (template)
[ ] Add autofix to a rule
[ ] Add a CLI option
[ ] Add something to the core
[x ] Other, please explain: fixing security issue by bump package version

What changes did you make? (Give an overview)

Is there anything you'd like reviewers to focus on?

@linux-foundation-easycla
Copy link

linux-foundation-easycla bot commented Apr 11, 2022
edited

CLA Signed

The committers listed above are authorized under a signed CLA.

  • ✅ login: opravil-jan / name: Jan Opravil (60f2b19)

@eslint-github-bot eslint-github-bot bot added the triage An ESLint team member will look at this issue soon label Apr 11, 2022
@eslint-github-bot
Copy link

Hi @opravil-jan!, thanks for the Pull Request

The first commit message isn't properly formatted. We ask that you update the message to match this format, as we use it to generate changelogs and automate releases.

  • The commit message tag wasn't recognized. Did you mean "docs", "fix", or "feat"?
  • There should be a space following the initial tag and colon, for example 'feat: Message'.

To Fix: You can fix this problem by running git commit --amend, editing your commit message, and then running git push -f to update this pull request.

Read more about contributing to ESLint here

1 similar comment
@eslint-github-bot
Copy link

Hi @opravil-jan!, thanks for the Pull Request

The first commit message isn't properly formatted. We ask that you update the message to match this format, as we use it to generate changelogs and automate releases.

  • The commit message tag wasn't recognized. Did you mean "docs", "fix", or "feat"?
  • There should be a space following the initial tag and colon, for example 'feat: Message'.

To Fix: You can fix this problem by running git commit --amend, editing your commit message, and then running git push -f to update this pull request.

Read more about contributing to ESLint here

@opravil-jan opravil-jan changed the title bump version of minimatch due to security issue PRISMA-2022-0039 fix: bump version of minimatch due to security issue PRISMA-2022-0039 Apr 11, 2022
@eslint-github-bot
Copy link

Hi @opravil-jan!, thanks for the Pull Request

The first commit message isn't properly formatted. We ask that you update the message to match this format, as we use it to generate changelogs and automate releases.

  • The commit message tag wasn't recognized. Did you mean "docs", "fix", or "feat"?
  • There should be a space following the initial tag and colon, for example 'feat: Message'.

To Fix: You can fix this problem by running git commit --amend, editing your commit message, and then running git push -f to update this pull request.

Read more about contributing to ESLint here

@eslint-github-bot eslint-github-bot bot added the bug ESLint is working incorrectly label Apr 11, 2022
@nzakas
Copy link
Member

nzakas commented Apr 13, 2022

This is breaking some tests. Please take a look and address.

Please note: the security issue is for running minimatch in a server, not on a command line.

@opravil-jan
Copy link
Contributor Author

How can I debug windows tests on linux. I do not have windows system in my reach to run this failing tests on it. How do you run tests for windows on no windows pc?

Thanks

@nzakas
Copy link
Member

nzakas commented Apr 14, 2022

Hmm, I don’t have an answer for that, but we clearly can’t merge this if it breaks functionality on Windows. We can see if anyone else volunteers to look into it, but this will be a low priority for the team.

@mdjermanovic
Copy link
Member

[x ] Other, please explain: fixing security issue by bump package version

Is the issue fixed in minimatch v3.1.2? If updating the dependency requirement to "minimatch": "^3.1.2" in eslint's package.json helps to remove security warnings and concerns, that would be much easier to do at the moment as there are no breaking changes.

@mdjermanovic mdjermanovic mentioned this pull request May 4, 2022
Merged
1 task
mdjermanovic
mdjermanovic reviewed May 4, 2022
View reviewed changes
package.json Outdated Show resolved Hide resolved
@netlify
Copy link

netlify bot commented May 6, 2022
edited

Deploy Preview for docs-eslint failed.

Name Link
🔨 Latest commit 5a8a2c4
🔍 Latest deploy log https://app.netlify.com/sites/docs-eslint/deploys/6274f03d502669000872aea0

@mdjermanovic mdjermanovic changed the title fix: bump version of minimatch due to security issue PRISMA-2022-0039 chore: bump version of minimatch due to security issue PRISMA-2022-0039 May 6, 2022
@eslint-github-bot eslint-github-bot bot added the chore This change is not user-facing label May 6, 2022
@mdjermanovic mdjermanovic merged commit 8167aa7 into eslint:main May 6, 2022
crapStone pushed a commit to Calciumdibromid/CaBr2 that referenced this pull request May 13, 2022
Update dependency eslint to v8.15.0 (#1343)
9b18fbf 
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [eslint](https://eslint.org) ([source](https://github.com/eslint/eslint)) | devDependencies | minor | [`8.14.0` -> `8.15.0`](https://renovatebot.com/diffs/npm/eslint/8.14.0/8.15.0) |

---

### Release Notes

<details>
<summary>eslint/eslint</summary>

### [`v8.15.0`](https://github.com/eslint/eslint/releases/v8.15.0)

[Compare Source](eslint/eslint@v8.14.0...v8.15.0)

#### Features

-   [`ab37d3b`](eslint/eslint@ab37d3b) feat: add `enforceInClassFields` option to no-underscore-dangle ([#&#8203;15818](eslint/eslint#15818)) (Roberto Cestari)

#### Bug Fixes

-   [`8bf9440`](eslint/eslint@8bf9440) fix: "use strict" should not trigger strict mode in ES3 ([#&#8203;15846](eslint/eslint#15846)) (Milos Djermanovic)

#### Documentation

-   [`28116cc`](eslint/eslint@28116cc) docs: update AST node names link in no-restricted-syntax ([#&#8203;15843](eslint/eslint#15843)) (Milos Djermanovic)
-   [`272965f`](eslint/eslint@272965f) docs: fix h1 heading on formatters page ([#&#8203;15834](eslint/eslint#15834)) (Milos Djermanovic)
-   [`a798166`](eslint/eslint@a798166) docs: update example for running individual rule tests ([#&#8203;15833](eslint/eslint#15833)) (Milos Djermanovic)
-   [`57e732b`](eslint/eslint@57e732b) docs: mark `SourceCode#getJSDocComment` deprecated in working-with-rules ([#&#8203;15829](eslint/eslint#15829)) (Milos Djermanovic)
-   [`9a90abf`](eslint/eslint@9a90abf) docs: update docs directory in working-with-rules ([#&#8203;15830](eslint/eslint#15830)) (Milos Djermanovic)
-   [`810adda`](eslint/eslint@810adda) docs: add more examples for prefer-object-spread ([#&#8203;15831](eslint/eslint#15831)) (coderaiser)
-   [`06b1edb`](eslint/eslint@06b1edb) docs: clarify no-control-regex rule ([#&#8203;15808](eslint/eslint#15808)) (Milos Djermanovic)
-   [`9ecd42f`](eslint/eslint@9ecd42f) docs: Fixed typo in code comment ([#&#8203;15812](eslint/eslint#15812)) (Addison G)
-   [`de992b7`](eslint/eslint@de992b7) docs: remove links to 2fa document ([#&#8203;15804](eslint/eslint#15804)) (Milos Djermanovic)
-   [`5222659`](eslint/eslint@5222659) docs: fix 'Related Rules' heading in no-constant-binary-expression ([#&#8203;15799](eslint/eslint#15799)) (Milos Djermanovic)
-   [`e70ae81`](eslint/eslint@e70ae81) docs: Update README team and sponsors (ESLint Jenkins)

#### Chores

-   [`1ba6a92`](eslint/eslint@1ba6a92) chore: upgrade [@&#8203;eslint/eslintrc](https://github.com/eslint/eslintrc)[@&#8203;1](https://github.com/1).2.3 ([#&#8203;15847](eslint/eslint#15847)) (Milos Djermanovic)
-   [`8167aa7`](eslint/eslint@8167aa7) chore: bump version of minimatch due to security issue PRISMA-2022-0039 ([#&#8203;15774](eslint/eslint#15774)) (Jan Opravil)
-   [`b8995a4`](eslint/eslint@b8995a4) chore: Implement docs site ([#&#8203;15815](eslint/eslint#15815)) (Nicholas C. Zakas)
-   [`6494e3e`](eslint/eslint@6494e3e) chore: update link in `codeql-analysis.yml` ([#&#8203;15817](eslint/eslint#15817)) (Milos Djermanovic)
-   [`36503ec`](eslint/eslint@36503ec) chore: enable no-constant-binary-expression in eslint-config-eslint ([#&#8203;15807](eslint/eslint#15807)) (唯然)

</details>

---

### Configuration

📅 **Schedule**: At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, click this checkbox.

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).

Co-authored-by: cabr2-bot <cabr2.help@gmail.com>
Reviewed-on: https://codeberg.org/Calciumdibromid/CaBr2/pulls/1343
Reviewed-by: Epsilon_02 <epsilon_02@noreply.codeberg.org>
Co-authored-by: Calciumdibromid Bot <cabr2_bot@noreply.codeberg.org>
Co-committed-by: Calciumdibromid Bot <cabr2_bot@noreply.codeberg.org>
srijan-deepsource pushed a commit to DeepSourceCorp/eslint that referenced this pull request May 30, 2022
@opravil-jan @mdjermanovic @srijan-deepsource
chore: bump version of minimatch due to security issue PRISMA-2022-00…
4643f3a 
…39 (eslint#15774)

* fix: bump version of minimatch due to security issue PRISMA-2022-0039

* Update package.json

Co-authored-by: Milos Djermanovic <milos.djermanovic@gmail.com>
srijan-deepsource added a commit to DeepSourceCorp/eslint that referenced this pull request May 30, 2022
@srijan-deepsource
Revert "chore: bump version of minimatch due to security issue PRISMA…
fb65570 
…-2022-0039 (eslint#15774)"

This reverts commit 4643f3a.
@sync-by-unito sync-by-unito bot mentioned this pull request Jun 1, 2022
Closed
@eslint-github-bot eslint-github-bot bot locked and limited conversation to collaborators Nov 3, 2022
@eslint-github-bot eslint-github-bot bot added the archived due to age This issue has been archived; please open a new issue for any further discussion label Nov 3, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@mdjermanovic mdjermanovic mdjermanovic approved these changes

Assignees
No one assigned
Labels
archived due to age This issue has been archived; please open a new issue for any further discussion bug ESLint is working incorrectly chore This change is not user-facing triage An ESLint team member will look at this issue soon
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@opravil-jan @nzakas @mdjermanovic