Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multiple security vulnerabilities in dependencies #978

Closed
nseba opened this issue Feb 26, 2019 · 4 comments · Fixed by #992
Closed

Multiple security vulnerabilities in dependencies #978

nseba opened this issue Feb 26, 2019 · 4 comments · Fixed by #992
Labels
bug Functionality does not match expectation

Comments

@nseba
Copy link

nseba commented Feb 26, 2019

Hi,

We use yarn and yarn audit in our build pipeline and by upgrading to the latest typedoc version (0.14.2), we have more than 20 vulnerabilities reported in the dependencies of typedoc. I have attached a JSON output containing the details.

audit.json.txt
@nseba nseba added the bug Functionality does not match expectation label Feb 26, 2019
@aciccarello
Copy link
Collaborator

Thanks for sharing, We'll update our dependencies before the next release which should help fix some of these.

@nseba
Copy link
Author

nseba commented Feb 26, 2019

In the meantime I was able to circumvent this problem by adding this into my package.json:

"resolutions": {
    "typedoc/highlight.js/gear-lib/knox/debug": "^2.6.9",
    "typedoc/highlight.js/gear-lib/jshint/cli": "^1.0.0",
    "typedoc/highlight.js/gear-lib/less/clean-css": "^4.1.11",
    "typedoc/highlight.js/gear-lib/less/request": "^2.68.0",
    "typedoc/highlight.js/**/uglify-js": "^2.6.0",
    "typedoc/highlight.js/**/handlebars": "^4.0.0",
    "typedoc/highlight.js/**/mime": "^1.4.1",
    "**/minimatch": "^3.0.2",
    "**/micromatch/braces": "^2.3.1"
  }```

So far I didn't get any errors when running typedoc, but it solved the audit warning.

@aciccarello aciccarello mentioned this issue Feb 27, 2019
Closed
@AndrewCraswell
Copy link

Is the next release scheduled soon? Many teams have policies against using modules that have reported security vulnerabilities. This seems like a big deal to be open for nearly a month...

@aciccarello
Copy link
Collaborator

Sorry, I'm working on some changes that I'm hoping to get into the next release but I may make an interim release.

Most of the security vulnerabilities are things like minimatch so the security vulnerabilities aren't relevant in this use case but I recognize that those things are hard to sort out.

aciccarello added a commit that referenced this issue Mar 22, 2019
@aciccarello
update dependencies
11b5b46 
closes #978
closes #977
@aciccarello aciccarello mentioned this issue Mar 22, 2019
Merged
aciccarello added a commit that referenced this issue Mar 22, 2019
@aciccarello
update dependencies (#992)
3790f00 
closes #978
closes #977
@aciccarello aciccarello mentioned this issue Apr 11, 2019
Closed
jumpinjackie added a commit to jumpinjackie/mapguide-react-layout that referenced this issue Apr 22, 2019
@jumpinjackie
Security vulnerability workaround (TypeStrong/typedoc#978)
535ba97
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Functionality does not match expectation
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

update dependencies TypeStrong/typedoc
3 participants
@nseba @AndrewCraswell @aciccarello