Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

merge package v1.2.0 has CVE-2018-16469 vulnerability #7318

Closed
d4nyll opened this issue Nov 1, 2018 · 4 comments
Closed

merge package v1.2.0 has CVE-2018-16469 vulnerability #7318

d4nyll opened this issue Nov 1, 2018 · 4 comments
Labels
Upstream Bug

Comments

@d4nyll
Copy link
Contributor

d4nyll commented Nov 1, 2018

jest-haste-map indirectly depends on merge v1.2.0, which has a vulnerability

I have traced the dependency tree:

$ yarn why merge
yarn why v1.7.0
[1/4] Why do we have the module "merge"...?
[2/4] Initialising dependency graph...
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "merge@1.2.0"
info Reasons this module exists
   - "_project_#jest-haste-map#sane#exec-sh" depends on it
   - Hoisted from "_project_#jest-haste-map#sane#exec-sh#merge"
...
  • The current version of exec-sh (v0.3.2) has removed the merge dependency.
  • The current version of sane (v4.0.1), however, still uses the v0.2.0 version of exec-sh.

To remove this vulnerability from jest-haste-map, either:

  1. Ignore it / wait for it to get patched later (since it's 'only' a dev dependency)
  2. Remove / replace the sane package
  3. Wait for this PR to be merged and upgrade to the latest version of sane
@eljefe223 eljefe223 mentioned this issue Nov 1, 2018
Closed
@vagueanxiety vagueanxiety mentioned this issue Nov 2, 2018
Open
This was referenced Nov 2, 2018
Closed
Closed
@iamkun
Copy link

iamkun commented Nov 2, 2018

I've made a PR here #7322 to upgrade sane to 4.0.2 to fix this.

@durasj durasj mentioned this issue Nov 2, 2018
Open
@paolommj paolommj mentioned this issue Nov 2, 2018
Open
@birjj birjj mentioned this issue Nov 2, 2018
Closed
@minademian minademian mentioned this issue Nov 6, 2018
Closed
@frosas
Copy link
Contributor

frosas commented Nov 7, 2018

Because caret ranges are used to define the dependencies, a possible workaround is to ensure the newer fixed version of merge (1.2.1) is being used:

$ rm -rf package-lock.json node_modules
$ npm i

@goshdarngames goshdarngames mentioned this issue Nov 8, 2018
Open
@caasi caasi mentioned this issue Nov 13, 2018
Open
@ruzicic ruzicic mentioned this issue Nov 14, 2018
Merged
@s2terminal s2terminal mentioned this issue Nov 23, 2018
Merged
@markwhitfeld markwhitfeld mentioned this issue Nov 27, 2018
Open
DreaminDani pushed a commit to DreaminDani/anymessage that referenced this issue Nov 27, 2018
regenerate package-lock.json to update "merge" package.
ef0d80f 
see: jestjs/jest#7318 (comment)
@bkmartinjr bkmartinjr mentioned this issue Nov 29, 2018
Closed
@manusa manusa mentioned this issue Jan 6, 2019
Closed
@SimenB
Copy link
Member

SimenB commented Mar 5, 2019

#8048

@SimenB SimenB closed this as completed Mar 5, 2019
@github-actions
Copy link

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
Please note this issue tracker is not a help forum. We recommend using StackOverflow or our discord channel for questions.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators May 12, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Upstream Bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: upgrade to the latest version of sane to remove vulnerability in merge v1.2.0
4 participants
@frosas @SimenB @d4nyll @iamkun