Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(vulnerability): patch a potential vulnerability updating lodash dependency #372

Merged
merged 1 commit into from
Aug 4, 2020
Merged

fix(vulnerability): patch a potential vulnerability updating lodash dependency #372

merged 1 commit into from
Aug 4, 2020

Conversation

arnaudbesnier
Copy link
Member

@arnaudbesnier arnaudbesnier commented Aug 3, 2020
edited by amessinger
Loading

Clickup card: https://app.clickup.com/t/6up7hd

Pull Request checklist:

  • Write an explicit title for the Pull Request, following Conventional Commits specification
  • Create automatic tests
  • No automatic tests failures
  • Test manually the implemented changes
  • Review my own code (indentation, syntax, style, simplicity, readability)
  • Wonder if you can improve the existing code

@arnaudbesnier arnaudbesnier mentioned this pull request Aug 3, 2020
Closed
6 tasks
arnaudbesnier
arnaudbesnier commented Aug 3, 2020
View reviewed changes
package.json
"@commitlint/travis-cli": "8.3.5",
"@commitlint/cli": "9.1.1",
"@commitlint/config-conventional": "9.1.1",
"@commitlint/travis-cli": "9.1.1",
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See the "light" breaking change introduced by version 9:
https://github.com/conventional-changelog/commitlint/blob/master/CHANGELOG.md#breaking-changes

arnaudbesnier
arnaudbesnier commented Aug 3, 2020
View reviewed changes
yarn.lock
get-stdin "7.0.0"
lodash "4.17.15"
lodash "^4.17.15"
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Enables lodash upgrade to v4.17.19

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it enough to upgrade lodash on an existing install?

Copy link
Member Author

@arnaudbesnier arnaudbesnier Aug 4, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the Rails agent, package.json file is only used for development tools (ie devDependencies).
The Rails agent dependencies are the Ruby gems you'll find in the Gemfile (not the npm dependencies in the package.json)

arnaudbesnier
arnaudbesnier commented Aug 3, 2020
View reviewed changes
yarn.lock
"@commitlint/types" "^9.1.1"
chalk "4.1.0"
cosmiconfig "^6.0.0"
lodash "^4.17.15"
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Enables lodash upgrade to v4.17.19

arnaudbesnier
arnaudbesnier commented Aug 3, 2020
View reviewed changes
yarn.lock
dependencies:
import-fresh "^3.0.0"
lodash "4.17.15"
lodash "^4.17.15"
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Enables lodash upgrade to v4.17.19

arnaudbesnier
arnaudbesnier commented Aug 3, 2020
View reviewed changes
yarn.lock
resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.15.tgz#b447f6670a0455bbfeedd11392eff330ea097548"
integrity sha512-8xOcRHvCjnocdS5cpwXQXVzmmh5e5+saE2QGoeQmbKmRS6J3VQppPOIt0MnmE+4xlZoumy0GPG0D0MVIQbNA1A==
lodash@^4.17.15, lodash@^4.17.4:
version "4.17.19"
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All lodash dependencies are now using v4.17.19

@arnaudbesnier arnaudbesnier merged commit 5bd2471 into master Aug 4, 2020
@arnaudbesnier arnaudbesnier deleted the fix/security-lodash-vulnerability branch August 4, 2020 08:59
forest-bot added a commit that referenced this pull request Aug 4, 2020
@forest-bot
chore(release): 5.2.2 [skip ci]
a36791d 
## [5.2.2](v5.2.1...v5.2.2) (2020-08-04)

### Bug Fixes

* **vulnerability:** patch a potential vulnerability updating lodash dependency ([#372](#372)) ([5bd2471](5bd2471))
@forest-bot
Copy link
Member

🎉 This PR is included in version 5.2.2 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Watanabe1011 added a commit to Watanabe1011/Forest-Rails that referenced this pull request Jun 3, 2024
@Watanabe1011
chore(release): 5.2.2 [skip ci]
c78cc8e 
## [5.2.2](ForestAdmin/forest-rails@v5.2.1...v5.2.2) (2020-08-04)

### Bug Fixes

* **vulnerability:** patch a potential vulnerability updating lodash dependency ([#372](ForestAdmin/forest-rails#372)) ([5bd2471](ForestAdmin/forest-rails@5bd2471))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ghusse ghusse ghusse left review comments

@amessinger amessinger amessinger approved these changes

Assignees

@arnaudbesnier arnaudbesnier

Labels
released
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@arnaudbesnier @forest-bot @ghusse @amessinger