-
Notifications
You must be signed in to change notification settings - Fork 31
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bump ssri dependency from 6.0.1 to 6.0.2 to address CVE-2021-27290 #49
Conversation
Hi, I'm hoping this might help get the ssri bump backported to v12, which I think many people rely on due to Webpack v4. I tried to follow a CI example for testing and tests appeared to pass for me locally using: I can see, however, that all CI checks have failed. |
package.json
Outdated
@@ -71,7 +71,7 @@ | |||
"move-concurrently": "^1.0.1", | |||
"promise-inflight": "^1.0.1", | |||
"rimraf": "^2.6.3", | |||
"ssri": "^6.0.1", | |||
"ssri": "^8.0.1", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
v6.0.2 is released, we should be able to use that here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome, thanks! I'll update and hopefully that'll break fewer tests :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That did the trick!
2c76729
to
2ddd6f1
Compare
@isaacs @wraithgar @claudiahdz Appreciate if someone can help take a look at this PR, it should resolve Also I noticed that the Contributor Guide link in the README is no longer working, please inform if there are any additional steps for this! Thank you 😄 |
This PR is still on our radar, but since we published Webpack 4 users who are keeping current on their subdependencies will get the proper ssri version now: ~/D/n/t $ npm i webpack@4 --loglevel silent
~/D/n/t $ npm ls ssri
[email protected] /Users/wraithgar/Development/npm/t
└─┬ [email protected]
└─┬ [email protected]
└─┬ [email protected]
└── [email protected] |
Only in some cases - later versions of I've opened npm/ssri#20 backporting the fix to v7 - if we could get that landed then I think we can say the majority (if not all) of users should have an easy path to resolution :) |
closing. semver is already ensuring that users who install cacache@12 will receive an up to date and patched ssri dependency, this change is effectively nothing but updating the package-lock.json in the repo which is unnecessary since it's not a part of the published package anyway. a fix was backported to ssri@7 which closes the loop on the rest of the concerns noted in this issue. |
This bumps
ssri
to 6.0.2 to address CVE-2021-27290. The original issue was closed after 15.0.6 was released, but many people rely on v12 due to usage of Webpack 4.References
Related to #47