Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[deps] updates pika/pack to a non vulnerable version #2252

Merged
merged 1 commit into from
Jul 11, 2022
Merged

[deps] updates pika/pack to a non vulnerable version #2252

merged 1 commit into from
Jul 11, 2022

Conversation

nickfloyd
Copy link
Contributor

@nickfloyd nickfloyd commented Jul 11, 2022
edited

There is a known set of vulnerabilities in pika/pack. The intention of this PR is to update pika/pack to a non-compromised version. See the dependapot alert for more details.

It appears that pika/pack v0.4.0 depends on:

node_modules/meow/node_modules/yargs-parser
  meow  3.4.0 - 5.0.0
  Depends on vulnerable versions of trim-newlines
  Depends on vulnerable versions of yargs-parser
  node_modules/meow
    np  >=2.0.0
    Depends on vulnerable versions of meow
    Depends on vulnerable versions of npm-name
    Depends on vulnerable versions of update-notifier
    node_modules/np
      @pika/pack  >=0.4.0-pre.2
      Depends on vulnerable versions of np
      node_modules/@pika/pack

Which has 12 vulnerabilities

v0.5.0 depends on:

node_modules/meow/node_modules/yargs-parser
  meow  3.4.0 - 5.0.0
  Depends on vulnerable versions of trim-newlines
  Depends on vulnerable versions of yargs-parser
  node_modules/meow
    np  >=2.0.0
    Depends on vulnerable versions of meow
    Depends on vulnerable versions of npm-name
    Depends on vulnerable versions of update-notifier
    node_modules/np
      @pika/pack  >=0.4.0-pre.2
      Depends on vulnerable versions of np
      node_modules/@pika/pack

Which also has 12 vulnerabilities

Whereas v0.3.7 has no known vulnerabilities. These vulnerabilities were introduced in the past two versions of pika/pack.

pika/pack appears to have been abandoned / or put on hold. Additionally, the updates to the dependencies have been made to the source in master but have not been released.

It looks like our best options are to:

  1. Downgrade to v0.3.7 (currently there seem to be no side effects to making this change, and it solves the vulnerabilities being flagged by the repo)
  2. Find an alternative

@ghost ghost added this to Inbox in JS Jul 11, 2022
@nickfloyd nickfloyd added the Type: Maintenance Any dependency, housekeeping, and clean up Issue or PR label Jul 11, 2022
@ghost ghost moved this from Inbox to Maintenance in JS Jul 11, 2022
@wolfy1339
Copy link
Member

I'm not too sure about this, as it is a version downgrade

@nickfloyd
Copy link
Contributor Author

I'm not too sure about this, as it is a version downgrade

Agreed. I've got this one in draft while I test a baseline and then a much later version of pika - sorry for the noise, but given it's a build tool I wanted to make sure it passed all of our CI as well. I'll take it out of draft when I think it might be g2g.

@nickfloyd nickfloyd marked this pull request as ready for review July 11, 2022 19:20
@nickfloyd nickfloyd requested a review from wolfy1339 July 11, 2022 19:20
@wolfy1339 wolfy1339 merged commit 4e82e68 into main Jul 11, 2022
JS automation moved this from Maintenance to Done Jul 11, 2022
@wolfy1339 wolfy1339 deleted the vulnerable-dependency-updates branch July 11, 2022 19:25
wolfy1339 added a commit to wolfy1339/.github that referenced this pull request Jul 11, 2022
@wolfy1339
chore: ignore @pika/pack upgrades due to known vulnerabilities
ecfebe0 
ref: octokit/octokit.js#2252
@wolfy1339 wolfy1339 mentioned this pull request Jul 11, 2022
Merged
@nickfloyd nickfloyd mentioned this pull request Jul 11, 2022
Merged
2 tasks
@github-actions
Copy link

🎉 This PR is included in version 2.0.4 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wolfy1339 wolfy1339 wolfy1339 approved these changes

Assignees
No one assigned
Labels
Type: Maintenance Any dependency, housekeeping, and clean up Issue or PR
Projects
No open projects
JS
  
Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@nickfloyd @wolfy1339