Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability Issue With bl < 2.2.1 #349

Closed
wu-json opened this issue Sep 3, 2020 · 8 comments · Fixed by #371
Closed

Vulnerability Issue With bl < 2.2.1 #349

wu-json opened this issue Sep 3, 2020 · 8 comments · Fixed by #371
Labels
dependencies Pull requests that update a dependency file released Pull Request released | Issue is fixed

Comments

@wu-json
Copy link

wu-json commented Sep 3, 2020

Issue

Just got a message from one of my repos about a security vulnerability with bl below version 2.2.1. It seems like this repo still uses v2.2.0. Would be great if this could be updated.

Screenshot from 2020-09-03 09-32-47
@wu-json wu-json added the bug label Sep 3, 2020
@hasezoey
Copy link
Member

hasezoey commented Sep 3, 2020

package bl is not installed directly in one of the packages here, so it will depend on when the other packages are upgraded

@hasezoey hasezoey added dependencies Pull requests that update a dependency file and removed bug labels Sep 3, 2020
@wu-json
Copy link
Author

wu-json commented Sep 3, 2020

Ah understood - thank you!

@hasezoey
Copy link
Member

hasezoey commented Sep 7, 2020

#348 got merged, next version will include it

@hasezoey hasezoey closed this as completed Sep 7, 2020
@nodkz
Copy link
Collaborator

nodkz commented Sep 7, 2020

Please let us know when this PR be accepted mongodb/node-mongodb-native#2536 and the new package mongodb be published.

Only after that, we can eliminate this warning.

@hasezoey hasezoey reopened this Sep 7, 2020
@kylepeeler
Copy link

kylepeeler commented Sep 8, 2020
edited
Loading

Anything I (first-time contributor 😄) can do to help get this moved along? Merging the above and this one would help to resolve a high npm vulnerability currently blocking CI on another project of mine

@hasezoey
Copy link
Member

hasezoey commented Sep 9, 2020

@kylepeeler the fix on this package already got applied #348, but because this package uses yarn, its only yarn.lock which got updated, otherwise we need to wait for mongodb to merge the mentioned PR and release it

@kylepeeler
Copy link

mongodb/node-mongodb-native#2536 seems to have been merged and the issue resolved, should we close this issue?

@hasezoey hasezoey mentioned this issue Sep 11, 2020
Merged
hasezoey added a commit that referenced this issue Sep 11, 2020
@hasezoey
fix(Dependencies): update mongodb version

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode
fe53081 
- update mongodb version to 3.6.2 to fix "bl" security issue
- update tar-stream to 2.1.4

fixes #349
@github-actions
Copy link

🎉 This issue has been resolved in version 6.7.3 🎉

The release is available on:

Your semantic-release bot 📦🚀

@github-actions github-actions bot added the released Pull Request released | Issue is fixed label Sep 11, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file released Pull Request released | Issue is fixed
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(Dependencies): update mongodb version
4 participants
@nodkz @kylepeeler @hasezoey @wu-json