Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade dependencies to apply security fixes #368

Merged
merged 2 commits into from
Feb 28, 2020
Merged

Upgrade dependencies to apply security fixes #368

merged 2 commits into from
Feb 28, 2020

Conversation

omrilotan
Copy link
Contributor

@omrilotan omrilotan commented Oct 29, 2019

TL;DR

dep before after
depcheck ^0.6.11 ^0.9.1
lodash ^4.7.0 ^4.17.15

Encompasses and updates on #361 and #371

Step 1 - NPM

npm i

found 184 vulnerabilities (1 low, 3 moderate, 180 high)
  run `npm audit fix` to fix them, or `npm audit` for details

npm audit fix

fixed 183 of 184 vulnerabilities in 4366 scanned packages
  1 vulnerability required manual review and could not be updated

npm audit

output
                       === npm audit security report ===

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ braces                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.3.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ babel-cli [dev]                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ babel-cli > chokidar > anymatch > micromatch > braces        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/786                             │
└───────────────┴──────────────────────────────────────────────────────────────┘

Finally we remain with "braces" as a nested devDependency with a Regex DDoS vulnerability - which I think is negligible.

npm ls braces
[email protected] ~/npm-check
└─┬ [email protected]
  └─┬ [email protected]
    ├─┬ [email protected]
    │ └─┬ [email protected]
    │   └── [email protected]    <---
    └─┬ [email protected]
      └─┬ [email protected]
        └── [email protected]

Step 2 - Snyk

npx snyk test

  Upgrade [email protected] to [email protected] to fix
  ✗ Denial of Service (DoS) [Medium Severity][https://snyk.io/vuln/npm:mem:20180117] in [email protected]
    introduced by [email protected] > [email protected] > [email protected] > [email protected]

I checked depcheck releases. There are no breaking changes

npm i depcheck@latest && npx snyk test

✓ Tested 247 dependencies for known issues, no vulnerable paths found.

@icebob
Copy link

icebob commented Dec 4, 2019

When will be merged & released?

@mkarpusiewicz
Copy link

Can we have this merged and released please?

@mkarpusiewicz
Copy link

@dylang Would you be able to merge this? If you need any help with the project I'm happy to help ;)

@LinusU
Copy link
Collaborator

LinusU commented Feb 28, 2020

Thanks, sorry for the delay

@LinusU
Copy link
Collaborator

LinusU commented Feb 28, 2020

Released as [email protected]

@omrilotan
Copy link
Contributor Author

🎉

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants