Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix GHAS Security issues #691

Merged
merged 4 commits into from
Jul 14, 2023
Merged

Fix GHAS Security issues #691

merged 4 commits into from
Jul 14, 2023

Conversation

rafaykh90
Copy link
Contributor

Changes

Related to

Before

# npm audit report

json5  2.0.0 - 2.2.1
Severity: high
Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h
fix available via `npm audit fix`
node_modules/json5

minimatch  <3.0.5
Severity: high
minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3
fix available via `npm audit fix`
node_modules/minimatch

semver  6.0.0 - 6.3.0 || 7.0.0 - 7.5.1
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix`
node_modules/@babel/core/node_modules/semver
node_modules/@babel/helper-compilation-targets/node_modules/semver
node_modules/eslint-plugin-node/node_modules/semver
node_modules/istanbul-lib-instrument/node_modules/semver
node_modules/make-dir/node_modules/semver
node_modules/semver

word-wrap  *
Severity: moderate
word-wrap vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-j8xg-fqg3-53r7
fix available via `npm audit fix`
node_modules/word-wrap
  optionator  0.8.3 - 0.9.1
  Depends on vulnerable versions of word-wrap
  node_modules/optionator

xml2js  <0.5.0
Severity: moderate
xml2js is vulnerable to prototype pollution - https://github.com/advisories/GHSA-776f-qx25-q3cc
fix available via `npm audit fix`
node_modules/xml2js
  aws-sdk  <=2.1353.0
  Depends on vulnerable versions of xml2js
  node_modules/aws-sdk

7 vulnerabilities (5 moderate, 2 high)

After

npm audit
found 0 vulnerabilities

@rafaykh90
Copy link
Contributor Author

node-pre-gyp v1.0.11-dev.1 is published for testing.

@rafaykh90 rafaykh90 marked this pull request as ready for review July 14, 2023 10:17
@rafaykh90 rafaykh90 requested a review from axrj July 14, 2023 11:19
axrj
axrj previously approved these changes Jul 14, 2023
View reviewed changes
package.json Outdated
@@ -1,7 +1,7 @@
{
"name": "@mapbox/node-pre-gyp",
"description": "Node.js native addon binary install tool",
"version": "1.0.10",
"version": "1.0.11-dev.1",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm. Thanks. Could you finalise the package version.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done. Please re-approve the PR. Thanks.

@rafaykh90 rafaykh90 requested a review from axrj July 14, 2023 12:31
@axrj axrj merged commit a74f5e3 into master Jul 14, 2023
4 checks passed
@rafaykh90 rafaykh90 mentioned this pull request Jul 14, 2023
Closed
@axrj axrj mentioned this pull request Jul 14, 2023
Closed
@jdforsythe jdforsythe mentioned this pull request Jul 14, 2023
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@axrj axrj axrj approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@rafaykh90 @axrj