Skip to content

/ sync

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix vulnerability preventing Desktop from building #298

Merged
merged 1 commit into from Apr 13, 2019
Merged

Fix vulnerability preventing Desktop from building #298

merged 1 commit into from Apr 13, 2019

Conversation

@bsclifton
Copy link
Member

bsclifton commented Apr 12, 2019

Helps fix brave/brave-browser#4075
@bsclifton
Fix vulnerability preventing Desktop from building
Verified
This commit was signed with a verified signature.
bsclifton Brian Clifton
GPG key ID: 50ED18CA5C4C0F73 Learn about signing commits
Loading status checks…
fced123 
Helps fix brave/brave-browser#4075
@bsclifton bsclifton self-assigned this Apr 12, 2019
@bsclifton bsclifton requested a review from bbondy Apr 13, 2019
@AlexeyBarabash
AlexeyBarabash approved these changes Apr 13, 2019
View changes
Copy link
Contributor

AlexeyBarabash left a comment

Looks good.
@diracdeltas
Copy link
Member

diracdeltas commented Apr 13, 2019
edited

How were these changes generated? (ex: delete npm_modules, run npm install)
@AlexeyBarabash
Copy link
Contributor

AlexeyBarabash commented Apr 13, 2019
edited

@diracdeltas I gues, with npm audit fix
before PR

npm install

> electron@1.8.8 postinstall /home/alexey/Projects/sync_CLIFTON/sync/node_modules/electron
> node install.js


> nodemon@1.18.6 postinstall /home/alexey/Projects/sync_CLIFTON/sync/node_modules/nodemon
> node bin/postinstall || exit 0


> protobufjs@6.8.8 postinstall /home/alexey/Projects/sync_CLIFTON/sync/node_modules/protobufjs
> node scripts/postinstall

npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.4 (node_modules/fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.4: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"})

added 796 packages from 636 contributors and audited 4378 packages in 8.329s
found 1 high severity vulnerability
  run `npm audit fix` to fix them, or `npm audit` for details

alexey@HAPPYUBU7:~/Projects/sync_CLIFTON/sync$ npm audit 
                                                                                
                       === npm audit security report ===                        
                                                                                
# Run  npm update tar --depth 5  to resolve 1 vulnerability
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Overwrite                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ tar                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ nodemon [dev]                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ nodemon > chokidar > fsevents > node-pre-gyp > tar           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/803                             │
└───────────────┴──────────────────────────────────────────────────────────────┘

after PR

git checkout fced1236e01e9cdd0630712468362be42d9d9d62
Note: checking out 'fced1236e01e9cdd0630712468362be42d9d9d62'.

You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by performing another checkout.

If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -b with the checkout command again. Example:

  git checkout -b <new-branch-name>

HEAD is now at fced123... Fix vulnerability preventing Desktop from building
alexey@HAPPYUBU7:~/Projects/sync_CLIFTON/sync$ npm install
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.4 (node_modules/fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.4: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"})

audited 4378 packages in 3.841s
@diracdeltas
Copy link
Member

diracdeltas commented Apr 13, 2019

sgtm
@bsclifton
Copy link
Member Author

bsclifton commented Apr 13, 2019
edited

That is correct- this is the result from running npm audit fix 😄
@bsclifton bsclifton merged commit 0a6faaf into staging Apr 13, 2019
2 checks passed
2 checks passed
continuous-integration/travis-ci/pr The Travis CI build passed
Details
continuous-integration/travis-ci/push The Travis CI build passed
Details
@bsclifton bsclifton deleted the bsc-fix-audit-deps branch Apr 13, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AlexeyBarabash AlexeyBarabash

@diracdeltas diracdeltas

@bbondy bbondy

@darkdh darkdh

Assignees

@bsclifton bsclifton

Labels
None yet
Projects
None yet
Milestone
No milestone
Linked issues

Successfully merging this pull request may close these issues.

Arbitrary File Overwrite in tar - adblock
3 participants
@bsclifton @diracdeltas @AlexeyBarabash
You can’t perform that action at this time.