Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security vulnerability tracker devDependencies #1061

Closed
jorenbroekema opened this issue Dec 7, 2023 · 1 comment
Closed

Security vulnerability tracker devDependencies #1061

jorenbroekema opened this issue Dec 7, 2023 · 1 comment
Labels
Security anything related to security, vulnerabilities etc.

Comments

@jorenbroekema
Copy link
Collaborator

jorenbroekema commented Dec 7, 2023
edited
Loading

Security tracker devDependencies

This issue can be used for tracking security vulnerabilities in our devDependencies which cannot be auto-fixed, which should be acknowledged and actions taken to notify third parties. If they don't respond in due time, we can fork -> fix -> publish and rely on that fork instead until it's fixed in the future.

Current npm audit report dev deps (v4 branch)

image
🎉

History

Vulnerabilities in the past that have been resolved

got

This is due to docsify-cli relying on an old version of update-notifier, which through a chain of transitive deps relies on an old version of got -> GHSA-pfrx-2q88-qq97

Since docsify prefers an email to notify them of security issues, I've sent them an email, detailing what is causing it and how to fix it.

marked

This is due to docsify relying on an old version of marked. In their package.json on their develop branch, this has been updated to v4 already, yet the version of docsify on develop branch is 4.13.0 whereas on NPM registry there is 4.13.1. Unfortunately upon inspecting the published package, it still relies on v1 of marked. I can only conclude that something went wrong with publishing to NPM. I've included the details in the email to docsify team.

If it goes without a response we may need to publish a fork with the fix at some point, same for the got issue

semver

Vulnerable for <5.7.2 || >=7.0.0 <7.5.2

Vulnerable installations caused by:

So, just waiting for docsify, changesets and less to respond to my emails, comment on PR and PR, otherwise we can go with forks, but let's give it some time.
@jorenbroekema jorenbroekema mentioned this issue Dec 7, 2023
Closed
@jorenbroekema jorenbroekema added the Security anything related to security, vulnerabilities etc. label Dec 7, 2023
@jorenbroekema
Copy link
Collaborator Author

Closing until new vulnerabilities show up

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Security anything related to security, vulnerabilities etc.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jorenbroekema