Question: alpha state?

[kirrg001]

Hey 👋

The last alpha was released on the 5th of Jan.
I am waiting for an update of babel core, because of a vulnerability.
Could you give me an update please?

Thanks 🙂
Kate

[Turbo87]

what "vulnerability" is that?

[kirrg001]

minimatch@2.0.10

(+) 1 vulnerabilities found
┌───────────────┬───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│               │ Regular Expression Denial of Service                                                                                                                                              │
├───────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ Name          │ minimatch                                                                                                                                                                         │
├───────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ Installed     │ 2.0.10                                                                                                                                                                            │
├───────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ Vulnerable    │ <=3.0.1                                                                                                                                                                           │
├───────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ Patched       │ >=3.0.2                                                                                                                                                                           │
├───────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ Path          │ ghost@1.0.0-alpha.14 > ghost-editor@0.1.10 > ember-cli-babel@5.2.4 > broccoli-babel-transpiler@5.6.2 > babel-core@5.8.38 > minimatch@2.0.10                                       │
├───────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ More Info     │ https://nodesecurity.io/advisories/118                                                                                                                                            │
└───────────────┴──────────────────────────────────────────

[Turbo87]

are you passing user input into minimatch?

[kirrg001]

I think we are not using it right now, but maybe other people do.

[Turbo87]

to be honest I don't see how anyone could actually take advantage of that vulnerability through the broccoli-babel-transpiler plugin. broccoli is usually used in the build pipeline where usually no user input is part of the build or could be harmful in any way. as there is no user input there is also no realistic way to take advantage of such a vulnerability. unless you can demonstrate that this is an actual issue I'd like to close this issue.

as for Babel 6: we (mainly @rwjblue) are actively working on supporting Babel 6 in Ember CLI (and Broccoli) in the near future, but we are not done yet.

[kirrg001]

Ok 👍 Is there any deadline planned for your upcoming release?

[Turbo87]

we are hoping to get an MVP in Ember CLI 2.13, but as we're talking about an OSS project there are no guarantees at all