Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[deps] updates pika/pack to a non vulnerable version #416

Merged
merged 1 commit into from
Jul 12, 2022
Merged

[deps] updates pika/pack to a non vulnerable version #416

merged 1 commit into from
Jul 12, 2022

Conversation

nickfloyd
Copy link
Contributor

There is a known set of vulnerabilities in pika/pack. The intention of this PR is to update pika/pack to a non-compromised version.

It appears that pika/pack v0.4.0 depends on:

node_modules/meow/node_modules/yargs-parser
  meow  3.4.0 - 5.0.0
  Depends on vulnerable versions of trim-newlines
  Depends on vulnerable versions of yargs-parser
  node_modules/meow
    np  >=2.0.0
    Depends on vulnerable versions of meow
    Depends on vulnerable versions of npm-name
    Depends on vulnerable versions of update-notifier
    node_modules/np
      @pika/pack  >=0.4.0-pre.2
      Depends on vulnerable versions of np
      node_modules/@pika/pack

Which has 12 vulnerabilities

v0.5.0 depends on:

node_modules/meow/node_modules/yargs-parser
  meow  3.4.0 - 5.0.0
  Depends on vulnerable versions of trim-newlines
  Depends on vulnerable versions of yargs-parser
  node_modules/meow
    np  >=2.0.0
    Depends on vulnerable versions of meow
    Depends on vulnerable versions of npm-name
    Depends on vulnerable versions of update-notifier
    node_modules/np
      @pika/pack  >=0.4.0-pre.2
      Depends on vulnerable versions of np
      node_modules/@pika/pack

Which also has 12 vulnerabilities

Whereas v0.3.7 has no known vulnerabilities. These vulnerabilities were introduced in the past two versions of pika/pack.

pika/pack appears to have been abandoned / or put on hold. Additionally, the updates to the dependencies have been made to the source in master but have not been released.

It looks like our best options are to:

  1. Downgrade to v0.3.7 (currently there seem to be no side effects to making this change, and it solves the vulnerabilities being flagged by the repo)
  2. Find an alternative

@ghost ghost added this to Maintenance in JS Jul 12, 2022
@wolfy1339 wolfy1339 merged commit b79127d into master Jul 12, 2022
JS automation moved this from Maintenance to Done Jul 12, 2022
@wolfy1339 wolfy1339 deleted the dependency-updates branch July 12, 2022 18:15
@timrogers
Copy link
Contributor

@nickfloyd It looks like builds are failing due to the pika binary being missing (example). Any ideas?

@wolfy1339
Copy link
Member

This has happened before, I have opened an issue #417

@timrogers
Copy link
Contributor

Aha! Thanks 🏁

@nickfloyd
Copy link
Contributor Author

For reference: #421

@octokitbot
Copy link
Collaborator

🎉 This PR is included in version 6.40.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wolfy1339 wolfy1339 wolfy1339 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
No open projects
JS
  
Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@nickfloyd @timrogers @wolfy1339 @octokitbot