Skip to content

Commit de41b62

Browse files
samruddhikhandalesamruddhikhandale
authored
Javascript-node & universal: Update 'ansi-regex' due to CVE-2021-3807 (#246)
* patch * add check * Patch for universal * patch javascript-node * update check-version-ge * patch universal * update manifest * nit * update: javascript * update universal * update test * check without --save * debug * remove debug * add checks * Remove unwanted check! * remove unwanted checks * Update install.sh * Update install.sh * remove unwanted changes
1 parent 2657a05 commit de41b62

File tree

3 files changed

+10
-4
lines changed

3 files changed

+10
-4
lines changed

src/javascript-node/.devcontainer/library-scripts/add-patch.sh

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,8 +2,9 @@
22

33
IMAGE_VARIANT=$1
44

5-
# Temporary: Upgrade 'decode-uri-component' due to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38900
6-
# 'decode-uri-component' is installed by the base image (node) for `node:14` which does not have the patch.
5+
# Temporary: These packages are installed by the base image (node) for `node:14` which does not have the patch.
6+
# Upgrade 'decode-uri-component' due to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38900
7+
# Upgrade 'ansi-regex ' due to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3807
78
if [[ "${IMAGE_VARIANT}" =~ "14" ]] ; then
89
cd /usr/local/lib/node_modules/npm
910
npm update --save

src/universal/.devcontainer/local-features/setup-user/install.sh

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -22,9 +22,11 @@ export DEBIAN_FRONTEND=noninteractive
2222

2323
# Temporary: Upgrade NPM packages due to mentioned CVEs.
2424
# decode-uri-component: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38900
25-
NPM_PACKAGES_LIST="decode-uri-component"
25+
# ansi-regex: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3807
26+
NPM_PACKAGES_LIST="decode-uri-component
27+
ansi-regex"
2628

27-
cd /usr/local/share/nvm/versions/node/v14.21.1/lib/node_modules/npm
29+
cd /usr/local/share/nvm/versions/node/v14*/lib/node_modules/npm
2830
npm install ${NPM_PACKAGES_LIST}
2931

3032
# Enables the oryx tool to generate manifest-dir which is needed for running the postcreate tool

src/universal/test-project/test.sh

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -174,6 +174,9 @@ cd /usr/local/share/nvm/versions/node/v14.21.1/lib/node_modules/npm
174174
decodeVersion=$(npm ls --depth 1 --json | jq -r '.dependencies."decode-uri-component".version')
175175
check-version-ge "decode-uri-component" "${decodeVersion}" "0.2.1"
176176

177+
ansiVersion=$(npm ls --depth 1 --json | jq -r '.dependencies."ansi-regex".version')
178+
check-version-ge "ansi-regex" "${ansiVersion}" "6.0.0"
179+
177180
ls -la /home/codespace
178181

179182
# Report result

0 commit comments

Comments
 (0)