Update browser-sync to 2.27.6

[ThewBear]

The version of ua-parser-js used by browser-sync v2.27.5 contains a crypto-miner malware.

BrowserSync/browser-sync#1914

Please consider release the security fix to v0.12.x branch since this is a critical severity vulnerability.

[zachleat]

I think 0.x uses 2.26.x https://github.com/11ty/eleventy/blob/v0.x/package.json

But new installs to 1.x (via ^2.27.5) will install 2.27.6 because of the ^. I don’t think existing installs and those locked in from a package-lock.json would get 2.27.6 even with a new beta release? All that said, I will definitely issue a new 1.x that points to the updated version.

[zachleat]

Actually, I misspoke—sorry. A fresh Eleventy install using 0.12.1 (via npm install @11ty/eleventy) uses the latest browser-sync 2.27.6

[zachleat]

Shipping with 1.0.0-beta.3.

Any existing installs in the wild that are tied to browser-sync 2.27.5 (on 0.x or 1.x) will likely still have the problematic version locally.

[zachleat]

To make sure this doesn’t affect your install of Eleventy, you can:

1. Nuclear option and clean out/reinstall your node_modules
2. npm install browser-sync to update your local browser-sync to the latest fixed version.

To know whether this affects you, you’ll want to look in your package-lock.json for ua-parser-js for versions 0.7.29, 0.8.0, or 1.0.0: faisalman/ua-parser-js#536 (comment) (via browser-sync 2.27.5)

[DanielRuf]

The affected versions were removed after about 4 hours on Friday (22nd of October) and new clean releases were published.

See also faisalman/ua-parser-js#536 (comment)

[marcfilleul]

I was using eleventy 1.0 beta 2 and after running yarn upgrade, I'm now using eleventy 1.0 canary 44 with updated browsersync 2.27.7 and ua-parser-js 1.0.2.

So I don't need to clean out everything?

[zachleat]

@marcfilleul If you don’t have the noted versions you should be fine. But for the beta -> canary swap you may want to read this #2009

[marcfilleul]

@zachleat Thanks!