Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: vendor tree-kill #72

Merged
merged 1 commit into from
Dec 6, 2019
Merged

fix: vendor tree-kill #72

merged 1 commit into from
Dec 6, 2019

Conversation

robcresswell
Copy link
Contributor

@robcresswell robcresswell commented Dec 6, 2019
edited
Loading

The tree-kill package has an RCE issue because the pid input is passed unsanitised to an exec command. To work around this, we are vendoring the code and adding some basic checks to make sure the pid is valid.

Also adding a .npmrc file to prevent package-lock.json being generated, and moved debug to prod deps because its used in lib/

@robcresswell robcresswell requested a review from a team as a code owner December 6, 2019 11:07
@ghost ghost requested review from gitphill and miiila December 6, 2019 11:07
@claassistantio
Copy link

claassistantio commented Dec 6, 2019
edited
Loading

CLA assistant check
All committers have signed the CLA.

@robcresswell robcresswell force-pushed the fix/vendor-tree-kill branch 2 times, most recently from 0e28efb to 384121a Compare December 6, 2019 11:33
lili2311
lili2311 reviewed Dec 6, 2019
View reviewed changes
package.json Outdated Show resolved Hide resolved
robcresswell added a commit to snyk/cli that referenced this pull request Dec 6, 2019
@robcresswell
fix: Remove tree-kill dependency
9c37bb4 
The `tree-kill` package, introduced by `snyk-sbt-plugin` has a RCE
vulnerability. This patch raises the version of `snyk-sbt-plugin` to
remove the vulnerability.

See snyk/snyk-sbt-plugin#72 for further
information
@robcresswell
fix: vendor tree-kill
0fcbf48 
The `tree-kill` package has an RCE issue because the `pid` input is
passed unsanitised to an `exec` command. To work around this, we are
vendoring the code and adding some basic checks to make sure the pid is
valid.

Also adding a `.npmrc` file to prevent `package-lock.json` being
generated, and moved `debug` to prod deps because its used in
`lib/`
lili2311
lili2311 reviewed Dec 6, 2019
View reviewed changes
package.json
@@ -28,17 +28,16 @@
"devDependencies": {
"@types/node": "6.14.6",
"@types/sinon": "7.0.11",
"debug": "^4.1.1",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is it meant to move to prod deps?

@robcresswell robcresswell merged commit 5b93583 into master Dec 6, 2019
@robcresswell robcresswell deleted the fix/vendor-tree-kill branch December 6, 2019 14:53
@robcresswell robcresswell mentioned this pull request Dec 6, 2019
Merged
@snyksec
Copy link

snyksec commented Dec 6, 2019

🎉 This PR is included in version 2.9.1 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lili2311 lili2311 lili2311 left review comments

@darscan darscan darscan approved these changes

@gitphill gitphill gitphill approved these changes

@miiila miiila Awaiting requested review from miiila

Assignees
No one assigned
Labels
released
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@robcresswell @claassistantio @snyksec @darscan @lili2311 @gitphill