Security Vulnerability, openSSL Unit-Testing #1925
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Note that the following PR is also open:
I'm actually unsure if version |
|
Please update openSSL to 1.1.1p as the current 1.1.1l has compilation problems due to failing tests @ianhattendorf |
astiob
added a commit
to astiob/digimon-rearise-js
that referenced
this pull request
Sep 7, 2022
AFAICT NodeGit's only uses of Got are trivial and indeed limited to a script in its util directory, which is only used when compiling NodeGit from source. So an override shouldn't break anything (and indeed any Got vulnerability here might not matter at all, but let's keep Dependabot happy). These findings are corroborated by: nodegit/nodegit#1925
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hello! I know I'm new here, but the following change(s) are quite non-invasive and I thought I'd contribute back
:D.Overview
gothad amoderatesecurity issue that was thrown. The following PR aims to fix that.Additionally, I've provided solutions to other larger open source
npmpackages relating to theminimistissues (a dependency of the very popularmochapackage), but as this is my first time aroundnodegit, I thought it best to first see how willing the maintainers are to accept my PR (while limited, it seems some either copy and replicate my changes, or haven't bothered to look into the proposals).minimist-related PR inexpressdependencyDiscussion
It seems that
got, adependency, is getting used only in theutildirectory.Further, specific usage of the module where
gotis initialized is limited toacquireOpenSSL.js.I thought to also create some unit testing as I saw that was a point of needed contributions.
Further diving down into the rabbit hole, I found that the binding for
node-gypauto-generates withdarwinspecifiedto
10.11as the minimum version; because I'm unable to verify (10.15) on the lower versions, I set the test toit.skip.However, I was unable to successfully compile openSSL
v1.1.1l. I updated the reference (a magic constant inacquireOpenSSL.js) tov1.1.1p. Thereafter I was able to successfully build wooohoooooo.I believe usage of these directives is still yet limited to
electronapplications; but I'm not 100% certain on this one.Note that while my personal testing included changing the
v1.1.1lversion tov1.1.1p, I did set it back.