Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[deps] updates pika/pack to a non vulnerable version #137

Merged
merged 1 commit into from
Jul 12, 2022
Merged

[deps] updates pika/pack to a non vulnerable version #137

merged 1 commit into from
Jul 12, 2022

Conversation

nickfloyd
Copy link
Contributor

There is a known set of vulnerabilities in pika/pack. The intention of this PR is to update pika/pack to a non-compromised version.

This PR:

  • Runs fix-up on the lock file to get it to v2
  • Updates pika/pack to a non vulnerable version

It appears that pika/pack v0.4.0 depends on:

node_modules/meow/node_modules/yargs-parser
  meow  3.4.0 - 5.0.0
  Depends on vulnerable versions of trim-newlines
  Depends on vulnerable versions of yargs-parser
  node_modules/meow
    np  >=2.0.0
    Depends on vulnerable versions of meow
    Depends on vulnerable versions of npm-name
    Depends on vulnerable versions of update-notifier
    node_modules/np
      @pika/pack  >=0.4.0-pre.2
      Depends on vulnerable versions of np
      node_modules/@pika/pack

Which has 12 vulnerabilities

v0.5.0 depends on:

node_modules/meow/node_modules/yargs-parser
  meow  3.4.0 - 5.0.0
  Depends on vulnerable versions of trim-newlines
  Depends on vulnerable versions of yargs-parser
  node_modules/meow
    np  >=2.0.0
    Depends on vulnerable versions of meow
    Depends on vulnerable versions of npm-name
    Depends on vulnerable versions of update-notifier
    node_modules/np
      @pika/pack  >=0.4.0-pre.2
      Depends on vulnerable versions of np
      node_modules/@pika/pack

Which also has 12 vulnerabilities

Whereas v0.3.7 has no known vulnerabilities. These vulnerabilities were introduced in the past two versions of pika/pack.

pika/pack appears to have been abandoned / or put on hold. Additionally, the updates to the dependencies have been made to the source in master but have not been released.

It looks like our best options are to:

  1. Downgrade to v0.3.7 (currently there seem to be no side effects to making this change, and it solves the vulnerabilities being flagged by the repo)
  2. Find an alternative

@ghost ghost added this to Maintenance in JS Jul 12, 2022
@wolfy1339 wolfy1339 merged commit 4cb77f3 into main Jul 12, 2022
JS automation moved this from Maintenance to Done Jul 12, 2022
@wolfy1339 wolfy1339 deleted the dependency-updates branch July 12, 2022 18:11
@github-actions
Copy link

🎉 This PR is included in version 3.0.2 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wolfy1339 wolfy1339 wolfy1339 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
No open projects
JS
  
Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@nickfloyd @wolfy1339