From f02c5498fdc9ef76df3f1250fec720403489eb34 Mon Sep 17 00:00:00 2001 From: rethab Date: Wed, 1 Sep 2021 21:35:23 +0200 Subject: [PATCH] fix: update ioredis to non-vulnerable version (#1589) the previously used version of ioredis was vulnerable to a prototype pollution attack: https://github.com/luin/ioredis/issues/1267 --- package-lock.json | 34 ++++++++++++++++------------------ package.json | 4 ++-- 2 files changed, 18 insertions(+), 20 deletions(-) diff --git a/package-lock.json b/package-lock.json index e9f29d7b28..5eed651a0d 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1406,18 +1406,11 @@ "dev": true }, "@types/ioredis": { - "version": "4.26.4", - "resolved": "https://registry.npmjs.org/@types/ioredis/-/ioredis-4.26.4.tgz", - "integrity": "sha512-QFbjNq7EnOGw6d1gZZt2h26OFXjx7z+eqEnbCHSrDI1OOLEgOHMKdtIajJbuCr9uO+X9kQQRe7Lz6uxqxl5XKg==", + "version": "4.27.1", + "resolved": "https://registry.npmjs.org/@types/ioredis/-/ioredis-4.27.1.tgz", + "integrity": "sha512-+JichYPCtVapxi5Z+7V/8Uhn+4Piz+rkb03JQTQ0kW0pkV71+bmzSTkpwmIqa7FfWIszp0VbRyN8gfgWDNQMdA==", "requires": { "@types/node": "*" - }, - "dependencies": { - "@types/node": { - "version": "15.12.4", - "resolved": "https://registry.npmjs.org/@types/node/-/node-15.12.4.tgz", - "integrity": "sha512-zrNj1+yqYF4WskCMOHwN+w9iuD12+dGm0rQ35HLl9/Ouuq52cEtd0CH9qMgrdNmi5ejC1/V7vKEXYubB+65DkA==" - } } }, "@types/is-base64": { @@ -1514,8 +1507,7 @@ "@types/node": { "version": "14.17.3", "resolved": "https://registry.npmjs.org/@types/node/-/node-14.17.3.tgz", - "integrity": "sha512-e6ZowgGJmTuXa3GyaPbTGxX17tnThl2aSSizrFthQ7m9uLGZBXiGhgE55cjRZTF5kjZvYn9EOPOMljdjwbflxw==", - "dev": true + "integrity": "sha512-e6ZowgGJmTuXa3GyaPbTGxX17tnThl2aSSizrFthQ7m9uLGZBXiGhgE55cjRZTF5kjZvYn9EOPOMljdjwbflxw==" }, "@types/normalize-package-data": { "version": "2.4.0", @@ -3065,9 +3057,9 @@ "dev": true }, "denque": { - "version": "1.5.0", - "resolved": "https://registry.npmjs.org/denque/-/denque-1.5.0.tgz", - "integrity": "sha512-CYiCSgIF1p6EUByQPlGkKnP1M9g0ZV3qMIrqMqZqdwazygIA/YP2vrbcyl1h/WppKJTdl1F85cXIle+394iDAQ==" + "version": "1.5.1", + "resolved": "https://registry.npmjs.org/denque/-/denque-1.5.1.tgz", + "integrity": "sha512-XwE+iZ4D6ZUB7mfYRMb5wByE8L74HCn30FBN7sWnXksWc1LO1bPDl67pBR9o/kC4z/xSNAwkMYcGgqDV3BE3Hw==" }, "depd": { "version": "1.1.2", @@ -4502,15 +4494,16 @@ } }, "ioredis": { - "version": "4.27.6", - "resolved": "https://registry.npmjs.org/ioredis/-/ioredis-4.27.6.tgz", - "integrity": "sha512-6W3ZHMbpCa8ByMyC1LJGOi7P2WiOKP9B3resoZOVLDhi+6dDBOW+KNsRq3yI36Hmnb2sifCxHX+YSarTeXh48A==", + "version": "4.27.9", + "resolved": "https://registry.npmjs.org/ioredis/-/ioredis-4.27.9.tgz", + "integrity": "sha512-hAwrx9F+OQ0uIvaJefuS3UTqW+ByOLyLIV+j0EH8ClNVxvFyH9Vmb08hCL4yje6mDYT5zMquShhypkd50RRzkg==", "requires": { "cluster-key-slot": "^1.1.0", "debug": "^4.3.1", "denque": "^1.1.0", "lodash.defaults": "^4.2.0", "lodash.flatten": "^4.4.0", + "lodash.isarguments": "^3.1.0", "p-map": "^2.1.0", "redis-commands": "1.7.0", "redis-errors": "^1.2.0", @@ -5655,6 +5648,11 @@ "resolved": "https://registry.npmjs.org/lodash.includes/-/lodash.includes-4.3.0.tgz", "integrity": "sha1-YLuYqHy5I8aMoeUTJUgzFISfVT8=" }, + "lodash.isarguments": { + "version": "3.1.0", + "resolved": "https://registry.npmjs.org/lodash.isarguments/-/lodash.isarguments-3.1.0.tgz", + "integrity": "sha1-L1c9hcaiQon/AGY7SRwdM4/zRYo=" + }, "lodash.isboolean": { "version": "3.0.3", "resolved": "https://registry.npmjs.org/lodash.isboolean/-/lodash.isboolean-3.0.3.tgz", diff --git a/package.json b/package.json index 085bfae208..ea23cbe4b5 100644 --- a/package.json +++ b/package.json @@ -47,7 +47,7 @@ "@probot/octokit-plugin-config": "^1.0.0", "@probot/pino": "^2.2.0", "@types/express": "^4.17.9", - "@types/ioredis": "^4.17.8", + "@types/ioredis": "^4.27.1", "@types/pino": "^6.3.4", "@types/pino-http": "^5.0.6", "@types/update-notifier": "^5.0.0", @@ -58,7 +58,7 @@ "eventsource": "^1.0.7", "express": "^4.17.1", "hbs": "^4.1.1", - "ioredis": "^4.19.2", + "ioredis": "^4.27.8", "js-yaml": "^3.14.1", "lru-cache": "^6.0.0", "octokit-auth-probot": "^1.2.2",