Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade libraries, fix vulnerabilities #63

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Upgrade libraries, fix vulnerabilities #63

wants to merge 1 commit into from

Conversation

wilmerhmg
Copy link

This pr updates libraries, and fixes vulnerabilities reported at https://www.npmjs.com/advisories/786

@codecov
Copy link

codecov bot commented Jul 14, 2020
edited

Codecov Report

Merging #63 into master will increase coverage by 0.95%.
The diff coverage is n/a.

Impacted file tree graph

@@            Coverage Diff             @@
##           master      #63      +/-   ##
==========================================
+ Coverage   83.93%   84.89%   +0.95%     
==========================================
  Files          17       17              
  Lines         610      556      -54     
==========================================
- Hits          512      472      -40     
+ Misses         98       84      -14
Impacted Files Coverage Δ
lib/utils/apply-action.js 62.50% <0.00%> (-1.39%) ⬇️
lib/utils/copy-file.js 70.45% <0.00%> (-0.70%) ⬇️
bin/index.js 100.00% <0.00%> (ø)
lib/utils/watcher.js 84.37% <0.00%> (+2.06%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 692b67b...36ad868. Read the comment docs.

@wilmerhmg wilmerhmg changed the title upgrade libraries, fix vulnerabilities Upgrade libraries, fix vulnerabilities Jul 14, 2020
@Misiu
Copy link

Misiu commented Oct 13, 2020

I just run Snyk and got this warning:

  ✗ Regular Expression Denial of Service (ReDoS) [Low Severity][https://snyk.io/vuln/npm:braces:20180219] in braces@1.8.5
    introduced by cpx@1.5.0 > chokidar@1.7.0 > anymatch@1.3.2 > micromatch@2.3.11 > braces@1.8.5
  This issue was fixed in versions: 2.3.1

@KirilVandov
Copy link

KirilVandov commented Feb 22, 2021
edited

Can we expect this change to be merged. Or we need to manually patch it locally :(

Regular Expression Denial of Service

Package braces

Patched in >=2.3.1

Dependency of cpx [dev]

Path cpx > chokidar > anymatch > micromatch > braces

@golfovi
Copy link

golfovi commented Jun 24, 2021

Hi! could this PR be merged please?

@rjz-avaleo
Copy link

There's a bigger problem than only those vulnerabilities. The last release of this project was in 2016 - version 1.5.0, which is the newest one was created 5 years ago. I believe that this project is just dead. Fortunately no one uses cpx in production code, only for building, so all vulnerabilities can be just ignored, cause they aren't real problems, although I'd say that it's not an ideal situation, cause everyone using this tool will have to maintain the ignored list of vulnerabilities by himself.

@rjz-avaleo
Copy link

I found this: https://www.npmjs.com/package/cpx-fixed
It seems someone forked this repo (and then another one) to be able to release new vesrions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@wilmerhmg @Misiu @KirilVandov @golfovi @rjz-avaleo