Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2022-33987 #1703

Closed
joao-paulo-parity opened this issue Jun 27, 2022 · 3 comments · Fixed by #1706
Closed

CVE-2022-33987 #1703

joao-paulo-parity opened this issue Jun 27, 2022 · 3 comments · Fixed by #1706
Labels
released

Comments

@joao-paulo-parity
Copy link
Contributor

Got this warning recently through a Dependabot Alert about an insecure dependency (got), which seems to be used by update-notifier.

Title: Got allows a redirect to a UNIX socket #10

Dependabot cannot update got to a non-vulnerable version

The latest possible version that can be installed is 9.6.0 because of the following conflicting dependencies:

probot@12.2.2 requires got@^9.6.0 via a transitive dependency on package-json@6.5.0

The earliest fixed version is 11.8.5.

> yarn why got
yarn why v1.22.19
[1/4] Why do we have the module "got"...?
[2/4] Initialising dependency graph...
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "got@9.6.0"
info Reasons this module exists
   - "probot#update-notifier#latest-version#package-json" depends on it
   - Hoisted from "probot#update-notifier#latest-version#package-json#got"
info Disk size without dependencies: "140KB"
info Disk size with unique dependencies: "444KB"
info Disk size with transitive dependencies: "736KB"
info Number of shared dependencies: 14
Done in 0.25s.

Apparently this was dealt with in yeoman/update-notifier@9183541 but that change also switched the module to ESM as mentioned in remy/nodemon#1961 (comment). It's worth mentioning that nodemon is considering dropping the dependency as per remy/nodemon#2023 (comment) and remy/nodemon#1961.
@welcome
Copy link

welcome bot commented Jun 27, 2022

Thanks for opening this issue. A contributor should be by to give feedback soon. In the meantime, please check out the contributing guidelines and explore other ways you can get involved.

@gr2m
Copy link
Contributor

gr2m commented Jun 27, 2022

Looks like we need to update update-notifier, or remove it altogether. Pull Request welcome!

joao-paulo-parity added a commit to joao-paulo-parity/probot that referenced this issue Jun 30, 2022
@joao-paulo-parity
feat: remove update-notifier
2f46489 
it's better to catch outdated dependencies before deployment, with tools such as dependabot, instead of only finding about it when you're about to run the application

the motivation for having update-notifier isn't strong as per probot#1102 (comment) and it pulls in needless dependencies as showcased in probot#1703, therefore it's better to remove it
joao-paulo-parity added a commit to joao-paulo-parity/probot that referenced this issue Jun 30, 2022
@joao-paulo-parity
refactor: remove update-notifier
8866eaa 
it's better to catch outdated dependencies before deployment, with tools such as dependabot, instead of only finding about it when you're about to run the application

the motivation for having update-notifier isn't strong as per probot#1102 (comment) and it pulls in needless dependencies as showcased in probot#1703, therefore it's better to remove it

BREAKING CHANGE: update-notifier will no longer be available for the CLI
@joao-paulo-parity joao-paulo-parity mentioned this issue Jun 30, 2022
Merged
joao-paulo-parity added a commit to joao-paulo-parity/probot that referenced this issue Jun 30, 2022
@joao-paulo-parity
fix: remove update-notifier
2d53d64 
it's better to catch outdated dependencies before deployment, with tools such as dependabot, instead of only finding about it when you're about to run the application

the motivation for having update-notifier isn't strong as per probot#1102 (comment) and it pulls in needless dependencies as showcased in probot#1703, therefore it's better to remove it
gr2m pushed a commit that referenced this issue Jun 30, 2022
@joao-paulo-parity
fix: remove update-notifier (#1706)
05297fb 
it's better to catch outdated dependencies before deployment, with tools such as dependabot, instead of only finding about it when you're about to run the application

the motivation for having update-notifier isn't strong as per #1102 (comment) and it pulls in needless dependencies as showcased in #1703, therefore it's better to remove it
@github-actions
Copy link

🎉 This issue has been resolved in version 12.2.5 🎉

The release is available on:

Your semantic-release bot 📦🚀

@johnperez416 johnperez416 mentioned this issue Mar 31, 2023
Closed
@johnperez416 johnperez416 mentioned this issue Jun 8, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
released
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: remove update-notifier joao-paulo-parity/probot
2 participants
@gr2m @joao-paulo-parity