Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade package that has security vulnerabilities #166

Merged
merged 1 commit into from
Jul 27, 2021
Merged

Upgrade package that has security vulnerabilities #166

merged 1 commit into from
Jul 27, 2021

Conversation

hrsakai
Copy link
Contributor

@hrsakai hrsakai commented Jul 27, 2021

Ran npm audit fix to fix security vulnerabilities.

$ npm install
.
.
found 3270 vulnerabilities (82 moderate, 3188 high)
  run `npm audit fix` to fix them, or `npm audit` for details

$ npm audit fix
.
.
fixed 3269 of 3270 vulnerabilities in 954 scanned packages
  1 vulnerability required manual review and could not be updated

We have to upgrade ssri to v6.0.2 or above to fix following security vulnerability, but npm-registry-client dependency is "ssri": "^5.2.4".So we can't fix it.
https://github.com/npm/npm-registry-client/blob/v8.6.0/package.json#L32

ssri is devDependency , so I ignore this security vulnerability on this time.

$ npm audit

                       === npm audit security report ===

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ ssri                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=6.0.2 <7.0.0 || >=7.1.1 < 8.0.0 || >= 8.0.1                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ dtslint [dev]                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ dtslint > @definitelytyped/utils > npm-registry-client >     │
│               │ ssri                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/565                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 moderate severity vulnerability in 954 scanned packages
  1 vulnerability requires manual review. See the full report for details.

@hrsakai hrsakai self-assigned this Jul 27, 2021
@hrsakai hrsakai added this to the 1.4.0 milestone Jul 27, 2021
@massakam massakam merged commit 78c8bc9 into apache:master Jul 27, 2021
nkurihar pushed a commit to nkurihar/pulsar-client-node that referenced this pull request Aug 27, 2021
@hrsakai
Upgrade package that has security vulnerabilities (apache#166)
71844bf
@nkurihar nkurihar mentioned this pull request Aug 27, 2021
Merged
massakam pushed a commit that referenced this pull request Aug 30, 2021
@nkurihar @hrsakai
Cherry pick some patches to 1.3 (#170)
2b3d84e 
* Call client.close on tests (#156)

* Add before/afterAll methods for tests

* Add eslint-plugin-jest to devDependencies

* Fix reader.test.js for eslint

* Upgrade package that has security vulnerabilities (#166)

Co-authored-by: hrsakai <hsakai@yahoo-corp.jp>
@hrsakai hrsakai deleted the fix-security-vulnerabilities branch November 16, 2023 00:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@massakam massakam massakam approved these changes

Assignees

@hrsakai hrsakai

Labels
type/security
Projects
None yet
Milestone
1.4.0
Development

Successfully merging this pull request may close these issues.
2 participants
@hrsakai @massakam