Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerable downstream dependency #381

Closed
3 tasks
jdforsythe opened this issue Jun 27, 2023 · 6 comments · Fixed by #383
Closed
3 tasks

Vulnerable downstream dependency #381

jdforsythe opened this issue Jun 27, 2023 · 6 comments · Fixed by #383

Comments

@jdforsythe
Copy link
Contributor

jdforsythe commented Jun 27, 2023
edited
Loading

Welcome to the issues section if it's your first time!

Before creating an issue, please be sure to:

  • Checkout to the latest version, including submodules
  • Try to find an isolated way to reproduce the behavior
  • Fill in all the blanks in the most specific way you can

Steps to reproduce

Expected behaviour

Tell us what should happen

Actual behaviour

Tell us what happens instead

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │ semver vulnerable to Regular Expression Denial of Service    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ semver                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in>=7.5.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ argon2                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ argon2 > @mapbox/node-pre-gyp > make-dir > semver            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1092310                     │
└───────────────┴──────────────────────────────────────────────────────────────┘

Environment

Operating system:

Node version:

Compiler version:
@AkiraMiyakoda
Copy link

We're waiting for @mapbox/node-pre-gyp to update its dependency. (mapbox/node-pre-gyp#685)
make-dir has already been updated, so you can add this to your package.json as an interim measure.

"overrides": {
  "make-dir": "^4.0.0"
}

@jdforsythe
Copy link
Contributor Author

jdforsythe commented Jul 14, 2023
edited
Loading

@AkiraMiyakoda @mapbox/node-pre-gyp v1.0.11 was just published with the fix

mapbox/node-pre-gyp#685
mapbox/node-pre-gyp#691
https://github.com/mapbox/node-pre-gyp/releases/tag/v1.0.11
https://www.npmjs.com/package/@mapbox/node-pre-gyp/v/1.0.11

@ranisalt
Copy link
Owner

Feel free to open a PR updating the dependency before dependabot does it :)

jdforsythe added a commit to jdforsythe/node-argon2 that referenced this issue Jul 19, 2023
@jdforsythe
Bump @mapbox/node-pre-gyp
9064bb7 
Fixes ranisalt#381
@jdforsythe jdforsythe mentioned this issue Jul 19, 2023
Merged
@jdforsythe
Copy link
Contributor Author

Feel free to open a PR updating the dependency before dependabot does it :)

Done. #383

ranisalt pushed a commit that referenced this issue Jul 30, 2023
@jdforsythe
Bump @mapbox/node-pre-gyp to 1.0.11 (#383)
1e3fd51 
Fixes #381
@jdforsythe
Copy link
Contributor Author

@ranisalt is there an upcoming release that will contain this change?

@ranisalt
Copy link
Owner

ranisalt commented Aug 2, 2023

@jdforsythe releasing v0.31.0 with updated dependencies now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Bump @mapbox/node-pre-gyp jdforsythe/node-argon2
3 participants
@jdforsythe @ranisalt @AkiraMiyakoda