Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Skip sending the proxyReq event when the expect header is present #1447

Merged
merged 2 commits into from May 17, 2020

Conversation

jsmylnycky
Copy link
Contributor

@jsmylnycky jsmylnycky commented May 15, 2020

Hotfix for https://www.npmjs.com/advisories/1486

Expecting build error due to Node 6. Waiting for #1397 to be merged to have a clean CI build.

@alexgvozden
Copy link

alexgvozden commented May 17, 2020

will anyone merge this if it solves the issue?

@amitmula
Copy link

amitmula commented May 17, 2020

Any ETA on when this is getting merged ?

@Hypnosphi
Copy link

Hypnosphi commented May 17, 2020

@indexzero @jcrugzz looks like this requires your immediate attention

@indexzero
Copy link
Contributor

indexzero commented May 17, 2020

My children are the only thing that requires immediate attention, sorry. Software happens during normal working hours. Didn't get to this on Friday, therefore it will be tomorrow.

Jarrett may have a moment, I have asked him.

@jcrugzz
Copy link
Contributor

jcrugzz commented May 17, 2020

@jsmylnycky thanks for the work here. Will release this fix in a few

@jcrugzz jcrugzz merged commit 335aeeb into master May 17, 2020
0 of 2 checks passed
@jcrugzz jcrugzz deleted the hotfix/advisory-1486 branch May 17, 2020
@jcrugzz
Copy link
Contributor

jcrugzz commented May 17, 2020

published as 1.18.1

@fabb
Copy link

fabb commented May 18, 2020

Have you informed npm support to whitelist this version? Currently it‘s still blacklisted: https://www.npmjs.com/advisories/1486/versions
The support usually resolves such inquiries within a few hours: security@npmjs.com

@Hypnosphi
Copy link

Hypnosphi commented May 18, 2020

@indexzero that's understandable, sorry for my wording. But the vulnerability seems reported almost 3 months ago. Do you consider adding more core maintainers as an option?

@jsmylnycky
Copy link
Contributor Author

jsmylnycky commented May 18, 2020

@Hypnosphi If you take a look at the top of the Issues page, there's two pinned posts going back to Aug/Sept, basically looking to get more people active with the future of this project. There's been very little activity from folks willing to actually jump in and contribute tho. If it is something you're interested in doing, I suggest you take a look at those posts and leave some comments to get in touch :)

@Lucidiot
Copy link

Lucidiot commented May 18, 2020

Just out of curiosity, was the vulnerability actually reported to the maintainers? This would not be the first time nobody knows about the issue until the advisory goes public: sass/node-sass#2816 (comment)

@hendrikmolder
Copy link

hendrikmolder commented May 18, 2020

Have you informed npm support to whitelist this version? Currently it‘s still blacklisted: https://www.npmjs.com/advisories/1486/versions
The support usually resolves such inquiries within a few hours: security@npmjs.com

They've now marked the fixed version as unaffected

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet