Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency "update-notifier" (and its internal "dot-prop") #360

Closed
subukamath opened this issue Feb 10, 2020 · 5 comments
Closed

Update dependency "update-notifier" (and its internal "dot-prop") #360

subukamath opened this issue Feb 10, 2020 · 5 comments
Labels
breaking Braking change (require major bump) dependencies Pull requests that update a dependency file

Comments

@subukamath
Copy link

subukamath commented Feb 10, 2020
edited by medikoo

Related to serverless/serverless#7486

The existing version of "update-notifier": "^2.5.0" dependency used in this library is using an older version of configstore which in turn has a dependency of dot-prop@4.2.0 which has a "Prototype Pollution" security vulnerability.
Please can you update to latest version of configstore which is using the latest version of dot-prop that has addressed this vulnerability.

+-- @serverless/enterprise-plugin@3.3.0
| | `-- update-notifier@2.5.0
| |   `-- configstore@3.1.2
| |     `-- dot-prop@4.2.0
@medikoo
Copy link
Contributor

medikoo commented Feb 11, 2020

@subukamath currently to not break things we're forced to maintain Node.js v6+ support, hence we stick to older update-notifier

@medikoo medikoo added the question Further information is requested label Feb 11, 2020
@medikoo
Copy link
Contributor

medikoo commented Feb 11, 2020

Still, in 1-2 months period we should release new major, and then we'll definitely upgrade all dependencies

@medikoo medikoo added question Further information is requested and removed question Further information is requested labels Feb 11, 2020
@subukamath
Copy link
Author

Thank you.

@medikoo medikoo added breaking Braking change (require major bump) dependencies Pull requests that update a dependency file and removed question Further information is requested labels Jul 31, 2020
This was referenced Jul 31, 2020
Closed
Closed
@medikoo medikoo changed the title Update dependency "update-notifier" Update dependency "update-notifier" (and its internal "dot-prop") Aug 4, 2020
@medikoo medikoo mentioned this issue Aug 4, 2020
Closed
@lanaebk
Copy link

lanaebk commented Aug 7, 2020

Any updates on this? A high severity warning was published on July 29 https://www.npmjs.com/advisories/1213

@medikoo
Copy link
Contributor

medikoo commented Aug 7, 2020

Any updates on this? A high severity warning was published on July 29 https://www.npmjs.com/advisories/1213

Hopefully new major will be released September-October

This was referenced Aug 17, 2020
Closed
Closed
@medikoo medikoo mentioned this issue Aug 27, 2020
Merged
@medikoo medikoo closed this as completed Aug 27, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
breaking Braking change (require major bump) dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@medikoo @lanaebk @subukamath