Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security issue: Please update yargs to 16.1.1 to fix CVE in y18n #3577

Closed
SymbioticKilla opened this issue Nov 26, 2020 · 3 comments · Fixed by #3578 or karronoli/redpen#10 · May be fixed by PDSSnyk/juice-shop#74
Closed

Security issue: Please update yargs to 16.1.1 to fix CVE in y18n #3577

SymbioticKilla opened this issue Nov 26, 2020 · 3 comments · Fixed by #3578 or karronoli/redpen#10 · May be fixed by PDSSnyk/juice-shop#74
Labels
released

Comments

@SymbioticKilla
Copy link
Contributor

Security issue:
CVE in y18n

Thank you!
@devoto13
Copy link
Collaborator

Please send a PR 😉

SymbioticKilla added a commit to SymbioticKilla/karma that referenced this issue Nov 26, 2020
@SymbioticKilla
fix(cve): update yargs to 16.1.1 to fix cve-2020-7774 in y18n
a7977f3 
karma-runner#3577
@SymbioticKilla SymbioticKilla mentioned this issue Nov 26, 2020
Merged
@SymbioticKilla
Copy link
Contributor Author

@devoto13 I hope everything is fine => my second PR on github =)

johnjbarton pushed a commit that referenced this issue Dec 14, 2020
@SymbioticKilla
fix(cve): update yargs to 16.1.1 to fix cve-2020-7774 in y18n (#3578)
3fed0bc 
Fixes #3577
karmarunnerbot pushed a commit that referenced this issue Jan 13, 2021
@semantic-release-bot
chore(release): 6.0.0 [skip ci]
3653caf 
# [6.0.0](v5.2.3...v6.0.0) (2021-01-13)

### Bug Fixes

* **ci:** abandon browserstack tests for Safari and IE ([#3615](#3615)) ([04a811d](04a811d))
* **client:** do not reset karmaNavigating in unload handler ([#3591](#3591)) ([4a8178f](4a8178f)), closes [#3482](#3482)
* **context:** do not error when karma is navigating ([#3565](#3565)) ([05dc288](05dc288)), closes [#3560](#3560)
* **cve:** update ua-parser-js to 0.7.23 to fix CVE-2020-7793 ([#3584](#3584)) ([f819fa8](f819fa8))
* **cve:** update yargs to 16.1.1 to fix cve-2020-7774 in y18n ([#3578](#3578)) ([3fed0bc](3fed0bc)), closes [#3577](#3577)
* **deps:** bump socket-io to v3 ([#3586](#3586)) ([1b9e1de](1b9e1de)), closes [#3569](#3569)
* **middleware:** catch errors when loading a module ([#3605](#3605)) ([fec972f](fec972f)), closes [#3572](#3572)
* **server:** clean up close-server logic ([#3607](#3607)) ([3fca456](3fca456))
* **test:** clear up clearContext ([#3597](#3597)) ([8997b74](8997b74))
* **test:** mark all second connections reconnects ([#3598](#3598)) ([1c9c2de](1c9c2de))

### Features

* **cli:** error out on unexpected options or parameters ([#3589](#3589)) ([603bbc0](603bbc0))
* **client:** update banner with connection, test status, ping times ([#3611](#3611)) ([4bf90f7](4bf90f7))
* **server:** print stack of unhandledrejections ([#3593](#3593)) ([35a5842](35a5842))
* **server:** remove deprecated static methods ([#3595](#3595)) ([1a65bf1](1a65bf1))
* remove support for running dart code in the browser ([#3592](#3592)) ([7a3bd55](7a3bd55))

### BREAKING CHANGES

* **server:** Deprecated `require('karma').server.start()` and `require('karma').Server.start()` variants were removed from the public API. Instead use canonical form:

```
const { Server } = require('karma');
const server = new Server();
server.start();
```
* **cli:** Karma is more strict and will error out if unknown option or argument is passed to CLI.
* Using Karma to run Dart code in the browser is no longer supported. Use your favorite Dart-to-JS compiler instead.

`dart` file type has been removed without a replacement.

`customFileHandlers` DI token has been removed. Use [`middleware`](http://karma-runner.github.io/5.2/config/configuration-file.html#middleware) to achieve similar functionality.

`customScriptTypes` DI token has been removed. It had no effect, so no replacement is provided.
* **deps:** Some projects have socket.io tests that are version sensitive.
@karmarunnerbot
Copy link
Member

🎉 This issue has been resolved in version 6.0.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

@karronoli karronoli mentioned this issue Aug 16, 2022
Merged
anthony-redFox pushed a commit to anthony-redFox/karma that referenced this issue May 16, 2023
@SymbioticKilla @anthony-redFox
fix(cve): update yargs to 16.1.1 to fix cve-2020-7774 in y18n (karma-…
bd385c9 
…runner#3578)

Fixes karma-runner#3577
anthony-redFox pushed a commit to anthony-redFox/karma that referenced this issue May 16, 2023
@semantic-release-bot @anthony-redFox
chore(release): 6.0.0 [skip ci]
be1c5b5 
# [6.0.0](karma-runner/karma@v5.2.3...v6.0.0) (2021-01-13)

### Bug Fixes

* **ci:** abandon browserstack tests for Safari and IE ([karma-runner#3615](karma-runner#3615)) ([04a811d](karma-runner@04a811d))
* **client:** do not reset karmaNavigating in unload handler ([karma-runner#3591](karma-runner#3591)) ([4a8178f](karma-runner@4a8178f)), closes [karma-runner#3482](karma-runner#3482)
* **context:** do not error when karma is navigating ([karma-runner#3565](karma-runner#3565)) ([05dc288](karma-runner@05dc288)), closes [karma-runner#3560](karma-runner#3560)
* **cve:** update ua-parser-js to 0.7.23 to fix CVE-2020-7793 ([karma-runner#3584](karma-runner#3584)) ([f819fa8](karma-runner@f819fa8))
* **cve:** update yargs to 16.1.1 to fix cve-2020-7774 in y18n ([karma-runner#3578](karma-runner#3578)) ([3fed0bc](karma-runner@3fed0bc)), closes [karma-runner#3577](karma-runner#3577)
* **deps:** bump socket-io to v3 ([karma-runner#3586](karma-runner#3586)) ([1b9e1de](karma-runner@1b9e1de)), closes [karma-runner#3569](karma-runner#3569)
* **middleware:** catch errors when loading a module ([karma-runner#3605](karma-runner#3605)) ([fec972f](karma-runner@fec972f)), closes [karma-runner#3572](karma-runner#3572)
* **server:** clean up close-server logic ([karma-runner#3607](karma-runner#3607)) ([3fca456](karma-runner@3fca456))
* **test:** clear up clearContext ([karma-runner#3597](karma-runner#3597)) ([8997b74](karma-runner@8997b74))
* **test:** mark all second connections reconnects ([karma-runner#3598](karma-runner#3598)) ([1c9c2de](karma-runner@1c9c2de))

### Features

* **cli:** error out on unexpected options or parameters ([karma-runner#3589](karma-runner#3589)) ([603bbc0](karma-runner@603bbc0))
* **client:** update banner with connection, test status, ping times ([karma-runner#3611](karma-runner#3611)) ([4bf90f7](karma-runner@4bf90f7))
* **server:** print stack of unhandledrejections ([karma-runner#3593](karma-runner#3593)) ([35a5842](karma-runner@35a5842))
* **server:** remove deprecated static methods ([karma-runner#3595](karma-runner#3595)) ([1a65bf1](karma-runner@1a65bf1))
* remove support for running dart code in the browser ([karma-runner#3592](karma-runner#3592)) ([7a3bd55](karma-runner@7a3bd55))

### BREAKING CHANGES

* **server:** Deprecated `require('karma').server.start()` and `require('karma').Server.start()` variants were removed from the public API. Instead use canonical form:

```
const { Server } = require('karma');
const server = new Server();
server.start();
```
* **cli:** Karma is more strict and will error out if unknown option or argument is passed to CLI.
* Using Karma to run Dart code in the browser is no longer supported. Use your favorite Dart-to-JS compiler instead.

`dart` file type has been removed without a replacement.

`customFileHandlers` DI token has been removed. Use [`middleware`](http://karma-runner.github.io/5.2/config/configuration-file.html#middleware) to achieve similar functionality.

`customScriptTypes` DI token has been removed. It had no effect, so no replacement is provided.
* **deps:** Some projects have socket.io tests that are version sensitive.
@PDSSnyk PDSSnyk mentioned this issue Jun 17, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
released
Projects
None yet
Milestone
No milestone
3 participants
@devoto13 @karmarunnerbot @SymbioticKilla