Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update latest-version + update-notifier packages #2414

Open
juliangrube1988 opened this issue Oct 19, 2023 · 6 comments · Fixed by #2454
Open

Update latest-version + update-notifier packages #2414

juliangrube1988 opened this issue Oct 19, 2023 · 6 comments · Fixed by #2454
Labels
bug Something isn't working

Comments

@juliangrube1988
Copy link

Describe the bug
Optic v0.50.10 depends on vulnerable version of latest-version.

To Reproduce
Steps to reproduce the behavior:

  1. npm install @useoptic/optic
  2. npm audit

Expected behavior
latest-version > 5.1.0

Details (please complete the following information):

  • Optic v0.50.10
latest-version  0.2.0 - 5.1.0
   Depends on vulnerable versions of package-json
   node_modules/latest-version
     @useoptic/optic  >=0.36.6-0
     Depends on vulnerable versions of latest-version
     Depends on vulnerable versions of update-notifier
     node_modules/@useoptic/optic
     update-notifier  0.2.0 - 5.1.0
     Depends on vulnerable versions of latest-version
     node_modules/update-notifier
@juliangrube1988 juliangrube1988 added the bug Something isn't working label Oct 19, 2023
@notnmeyer
Copy link
Member

notnmeyer commented Oct 20, 2023
edited

GHSA-pfrx-2q88-qq97

unless i'm mistaken, it looks like there's actually a few packages here to sort out,

➜ npm audit
# npm audit report

got  <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install @useoptic/optic@0.47.7, which is a breaking change
node_modules/got
  package-json  <=6.5.0
  Depends on vulnerable versions of got
  node_modules/package-json
    latest-version  0.2.0 - 5.1.0
    Depends on vulnerable versions of package-json
    node_modules/latest-version
      @useoptic/optic  >=0.36.6-0
      Depends on vulnerable versions of latest-version
      Depends on vulnerable versions of update-notifier
      node_modules/@useoptic/optic
      update-notifier  0.2.0 - 5.1.0
      Depends on vulnerable versions of latest-version
      node_modules/update-notifier

5 moderate severity vulnerabilities

To address all issues (including breaking changes), run:

@notnmeyer notnmeyer mentioned this issue Oct 20, 2023
Closed
@niclim niclim mentioned this issue Oct 24, 2023
Merged
@juliangrube1988
Copy link
Author

Will you create a new Release for this? Yesterdays version 0.50.12 does not include those changes

@niclim
Copy link
Contributor

niclim commented Oct 25, 2023

Hi, I just released 0.50.13 which includes this change

@juliangrube1988
Copy link
Author

Thanks but the issue still persits with version 0.50.13:

node_modules/got
  package-json  <=6.5.0
  Depends on vulnerable versions of got
  node_modules/package-json
    latest-version  0.2.0 - 5.1.0
    Depends on vulnerable versions of package-json
    node_modules/latest-version
      update-notifier  0.2.0 - 5.1.0
      Depends on vulnerable versions of latest-version
      node_modules/update-notifier
        @useoptic/optic  >=0.36.6-0
        Depends on vulnerable versions of update-notifier
        node_modules/@useoptic/optic

5 moderate severity vulnerabilities

@niclim niclim mentioned this issue Oct 26, 2023
Merged
@notnmeyer
Copy link
Member

@juliangrube1988 please try 0.50.14,

➜ cat package.json
{
  "dependencies": {
    "@useoptic/optic": "^0.50.14"
  }
}

➜ npm audit
found 0 vulnerabilities

@niclim niclim reopened this Oct 26, 2023
@niclim niclim changed the title Dependency update Update latest-version + update-notifier packages Oct 26, 2023
@notnmeyer notnmeyer reopened this Oct 26, 2023
@niclim
Copy link
Contributor

niclim commented Oct 26, 2023

Hey, sorry we had to revert these changes - the newer packages are ESM only, which we need to spend some time to figure out on how to support

@niclim niclim mentioned this issue Apr 8, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

upgrade latest-version opticdev/optic
chore: bump latest-version dep opticdev/optic
3 participants
@notnmeyer @niclim @juliangrube1988