Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[deps] updates pika/pack to a non vulnerable version #373

Merged
merged 2 commits into from
Jul 11, 2022
Merged

[deps] updates pika/pack to a non vulnerable version #373

merged 2 commits into from
Jul 11, 2022

Conversation

nickfloyd
Copy link
Contributor

@nickfloyd nickfloyd commented Jul 11, 2022
edited

There is a known set of vulnerabilities in pika/pack. The intention of this PR is to update pika/pack to a non-compromised version. See the dependapot alert for more details.

This change set:

  • Updates pika/pack to a non-vulnerable version
  • updates the lock file to a new version

It appears that pika/pack v0.4.0 depends on:

node_modules/meow/node_modules/yargs-parser
  meow  3.4.0 - 5.0.0
  Depends on vulnerable versions of trim-newlines
  Depends on vulnerable versions of yargs-parser
  node_modules/meow
    np  >=2.0.0
    Depends on vulnerable versions of meow
    Depends on vulnerable versions of npm-name
    Depends on vulnerable versions of update-notifier
    node_modules/np
      @pika/pack  >=0.4.0-pre.2
      Depends on vulnerable versions of np
      node_modules/@pika/pack

Which has 12 vulnerabilities

v0.5.0 depends on:

node_modules/meow/node_modules/yargs-parser
  meow  3.4.0 - 5.0.0
  Depends on vulnerable versions of trim-newlines
  Depends on vulnerable versions of yargs-parser
  node_modules/meow
    np  >=2.0.0
    Depends on vulnerable versions of meow
    Depends on vulnerable versions of npm-name
    Depends on vulnerable versions of update-notifier
    node_modules/np
      @pika/pack  >=0.4.0-pre.2
      Depends on vulnerable versions of np
      node_modules/@pika/pack

Which also has 12 vulnerabilities

Whereas v0.3.7 has no known vulnerabilities. These vulnerabilities were introduced in the past two versions of pika/pack.

pika/pack appears to have been abandoned / or put on hold. Additionally, the updates to the dependencies have been made to the source in master but have not been released.

It looks like our best options are to:

  1. Downgrade to v0.3.7 (currently there seem to be no side effects to making this change, and it solves the vulnerabilities being flagged by the repo)
  2. Find an alternative

Note: This is identical to the vulnerabilities fixed by octokit/octokit.js#2252

@nickfloyd nickfloyd added dependencies Type: Maintenance Any dependency, housekeeping, and clean up Issue or PR labels Jul 11, 2022
@ghost ghost added this to Maintenance in JS Jul 11, 2022
@wolfy1339 wolfy1339 enabled auto-merge (squash) July 11, 2022 19:44
@wolfy1339 wolfy1339 merged commit 240994b into master Jul 11, 2022
@wolfy1339 wolfy1339 deleted the dependency-updates branch July 11, 2022 19:45
JS automation moved this from Maintenance to Done Jul 11, 2022
@github-actions
Copy link

🎉 This PR is included in version 5.0.1 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wolfy1339 wolfy1339 wolfy1339 approved these changes

Assignees
No one assigned
Labels
Type: Maintenance Any dependency, housekeeping, and clean up Issue or PR
Projects
No open projects
JS
  
Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@nickfloyd @wolfy1339