Skip to content

Fix many GitHub Security Advisory Warnings#26

Merged
Jinksi merged 8 commits into
Jinksi:masterfrom
karlhorky:patch-1
Jan 31, 2020
Merged

Fix many GitHub Security Advisory Warnings#26
Jinksi merged 8 commits into
Jinksi:masterfrom
karlhorky:patch-1

Conversation

@karlhorky

@karlhorky karlhorky commented Nov 9, 2019

Copy link
Copy Markdown
Contributor

Many transitive dependency packages are locked to versions with GitHub security advisories (you probably see them under the security tab of this repo).

This pull request (original work courtesy of @juliakaltenegger) fixes many of them.

The last unresolved issue is a problem with heml (more specifically, the @heml/elements package). @juliakaltenegger alerted the heml project of this here:

SparkPost/heml#92

dependabot Bot and others added 8 commits November 9, 2019 12:44
@dependabot @karlhorky
Bump rgb2hex from 0.1.1 to 0.1.9
a66afb8 
Bumps [rgb2hex](https://github.com/christian-bromann/rgb2hex) from 0.1.1 to 0.1.9.
- [Release notes](https://github.com/christian-bromann/rgb2hex/releases)
- [Commits](https://github.com/christian-bromann/rgb2hex/commits/v0.1.9)

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @karlhorky
Bump lodash.merge from 4.6.1 to 4.6.2
09a01a2 
Bumps [lodash.merge](https://github.com/lodash/lodash) from 4.6.1 to 4.6.2.
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](https://github.com/lodash/lodash/commits)

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @karlhorky
Bump mixin-deep from 1.3.1 to 1.3.2
3e041d3 
Bumps [mixin-deep](https://github.com/jonschlinkert/mixin-deep) from 1.3.1 to 1.3.2.
- [Release notes](https://github.com/jonschlinkert/mixin-deep/releases)
- [Commits](jonschlinkert/mixin-deep@1.3.1...1.3.2)

Signed-off-by: dependabot[bot] <support@github.com>
@juliakaltenegger @karlhorky
Update lodash to newest version
3af0bda
@juliakaltenegger @karlhorky
Update to newest compatible version of reload to fix url-parse securi…
b117ce0 
…ty alert
@juliakaltenegger @karlhorky
Update union-value and set-value to solve security alerts
6f28231
@karlhorky
Remove Yarn resolutions again
45425c8
@karlhorky
Remove changes in package-lock.json
c69a1e3
@Jinksi Jinksi merged commit d6cda87 into Jinksi:master Jan 31, 2020
@Jinksi

Jinksi commented Jan 31, 2020

Copy link
Copy Markdown
Owner

Thanks @karlhorky 🙌

@karlhorky

karlhorky commented Jan 31, 2020

Copy link
Copy Markdown
Contributor Author

No problem, credit to @juliakaltenegger too! Thanks for the merge!

@karlhorky

karlhorky commented Jan 31, 2020

Copy link
Copy Markdown
Contributor Author

@Jinksi looks like in the meantime there are more security alerts:

Yarn

$ yarn audit

...

10 vulnerabilities found - Packages audited: 914383
Severity: 1 Low | 7 Moderate | 1 High | 1 Critical

npm

$ npm i --package-lock-only && npm audit

...

found 3 vulnerabilities (1 low, 1 moderate, 1 critical) in 924332 scanned packages

@karlhorky

karlhorky commented Jan 31, 2020
edited
Loading

Copy link
Copy Markdown
Contributor Author

The critical vulnerability comes from the heml dependency, which depends on vulnerable versions of open (also via the reload package).

Edit: I did a pull request for heml here: SparkPost/heml#98

This was referenced Jan 31, 2020
Open
Merged
@karlhorky

karlhorky commented Jan 31, 2020

Copy link
Copy Markdown
Contributor Author

@Jinksi ok I've opened #28 to fix the rest of the vulnerabilities (except for the issues in heml, which will be resolved in SparkPost/heml#98)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@karlhorky @Jinksi @juliakaltenegger