New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update vulnerabilities dependencies #110

Merged
merged 4 commits into from Oct 12, 2018

Conversation

3 participants
@YoshinoriN
Copy link
Member

YoshinoriN commented Oct 12, 2018

Problem

Current dependency has 6 vulnerabilities.
This problem reported from nom install后有异常 hexo/#3215.

Below is full report.

found 6 vulnerabilities (4 low, 1 high, 1 critical)
  run `npm audit fix` to fix them, or `npm audit` for details


  Low             Regular Expression Denial of Service

  Package         debug
  Dependency of   mocha [dev]
  Path            mocha > debug
  More info       https://nodesecurity.io/advisories/534

  High            Regular Expression Denial of Service

  Package         minimatch
  Dependency of   mocha [dev]
  Path            mocha > glob > minimatch
  More info       https://nodesecurity.io/advisories/118

  Critical        Command Injection

  Package         growl
  Dependency of   mocha [dev]
  Path            mocha > growl
  More info       https://nodesecurity.io/advisories/146

  Low             Prototype Pollution

  Package         lodash
  Patched in      >=4.17.5
  Dependency of   jscs [dev]
  Path            jscs > jscs-jsdoc > jsdoctypeparser > lodash
  More info       https://nodesecurity.io/advisories/577

  Low             Prototype Pollution
  Package         lodash
  Patched in      >=4.17.5
  Dependency of   jscs [dev]
  Path            jscs > lodash
  More info       https://nodesecurity.io/advisories/577

  Low             Prototype Pollution
  Package         lodash
  Patched in      >=4.17.5
  Dependency of   jscs [dev]
  Path            jscs > xmlbuilder > lodash
  More info       https://nodesecurity.io/advisories/577

found 6 vulnerabilities (4 low, 1 high, 1 critical) in 1937 scanned packages
  3 vulnerabilities require semver-major dependency updates.
  3 vulnerabilities require manual review. See the full report for details.

Fix

1. Update dependencies

Update dependencies package which contain vulnerabilities. Delete jscs. Current jscs has vulnerabilities and it can delete if versionup eslint.

2. Fix eslint style errors

After update eslint, code has some style error.
Fix eslint style and disable no-useless-escape of eslint rule on repository regular expression line.
About the latter a default eslint setting display no-useless-escape error, but the regular expression it seems correct. So, I ignore the line.

@YoshinoriN YoshinoriN requested a review from hexojs/core Oct 12, 2018

@coveralls

This comment has been minimized.

Copy link

coveralls commented Oct 12, 2018

Coverage Status

Coverage remained the same at 90.0% when pulling de9fadb on YoshinoriN:update-vulnerabilities-dependencies into 4a2e283 on hexojs:master.

@segayuu
Copy link
Contributor

segayuu left a comment

LGTM!

@segayuu segayuu merged commit e6414bb into hexojs:master Oct 12, 2018

2 of 3 checks passed

continuous-integration/appveyor/pr Waiting for AppVeyor build to complete
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
coverage/coveralls Coverage remained the same at 90.0%
Details

@YoshinoriN YoshinoriN deleted the YoshinoriN:update-vulnerabilities-dependencies branch Oct 12, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment