Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security(deps): bump filenamify-url to 2.1.1 #393

Merged
merged 1 commit into from
Jun 14, 2021
Merged

security(deps): bump filenamify-url to 2.1.1 #393

merged 1 commit into from
Jun 14, 2021

Conversation

AviVahl
Copy link
Contributor

@AviVahl AviVahl commented Jun 10, 2021
edited
Loading

regenerated lock file from scratch to get back to 0 vulnerabilities

fixes:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ normalize-url                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.5.1 <5.0.0 || >=5.3.1 <6.0.0 || >=6.0.1                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gh-pages                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gh-pages > filenamify-url > humanize-url > normalize-url     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1755                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

@AviVahl
security(deps): bump filenamify-url to 2.1.1
d49620e 
regenerated lock file from scratch to get back to 0 vulnerabilities
TyMick
TyMick approved these changes Jun 10, 2021
View reviewed changes
Copy link

@TyMick TyMick left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For what it's worth, the only breaking change in filenamify-url v2 is that it requires Node.js 8, so no other code changes should be necessary. 👍🏼

@TyMick
Copy link

TyMick commented Jun 10, 2021

Though I'm not sure that regenerating the lockfile was necessary—npm install filenamify-url@2 probably would've been sufficient to upgrade normalize-url.

@tomhsiao1260 tomhsiao1260 mentioned this pull request Jun 10, 2021
Closed
@AviVahl
Copy link
Contributor Author

AviVahl commented Jun 10, 2021

Though I'm not sure that regenerating the lockfile was necessary—npm install filenamify-url@2 probably would've been sufficient to upgrade normalize-url.

There were other audit failures from locked deps.

@emilbader
Copy link

Related issue: sindresorhus/filenamify-url#9
Related commit in humanize-url: sindresorhus/humanize-url@d013ec7

@AviVahl
Copy link
Contributor Author

AviVahl commented Jun 14, 2021

heya @tschaub, any chance you've got time to review this? :)

@tschaub tschaub merged commit a4c9eee into tschaub:main Jun 14, 2021
@tschaub
Copy link
Owner

tschaub commented Jun 14, 2021
edited
Loading

Thanks, @AviVahl.

There are automated security updates configured for this repo, but they can take up to 7 days from the time of an alert. The alert for normalize-url was still only 6 days old.

@AviVahl AviVahl deleted the filenamify2-audit-fix branch June 15, 2021 07:35
@blackr1234 blackr1234 mentioned this pull request Jun 15, 2021
Closed
@skratchdot
Copy link

I think this change broke our ci.

we clone our repo via something like:

git@github.com:org/repo.git

our ci job now fails during a gh-pages step with the following error:

Invalid URL: http:git@github.com:org/repo.git

@tschaub tschaub mentioned this pull request Jun 18, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@TyMick TyMick TyMick approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@AviVahl @TyMick @emilbader @tschaub @skratchdot