Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependency update for jest-reporters, addressing CVE-2022-25883 #14401

Merged
merged 3 commits into from
Aug 12, 2023
Merged

Dependency update for jest-reporters, addressing CVE-2022-25883 #14401

merged 3 commits into from
Aug 12, 2023

Conversation

karlnorling
Copy link
Contributor

Summary

Addressing https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795 for semver coming in fromistanbul-lib-instrument@^5.1.0 and below.

See: istanbuljs/istanbuljs#731

  • istanbul-lib-instrument updated from 5.10.0 to 6.0.0
    • istanbul-lib-instrument dropping support for node 10
    • fixing semver vuln. CVE-2022-25883

Test plan

Green CI.

@linux-foundation-easycla
Copy link

linux-foundation-easycla bot commented Aug 10, 2023
edited
Loading

CLA Signed

The committers listed above are authorized under a signed CLA.

  • ✅ login: karlnorling / name: Karl Norling (94c1216)
  • ✅ login: SimenB / name: Simen Bekkhus (93b5ce3, 720ba68)

@netlify
Copy link

netlify bot commented Aug 10, 2023
edited
Loading

Deploy Preview for jestjs ready!

Built without sensitive environment variables

Name Link
🔨 Latest commit 720ba68
🔍 Latest deploy log https://app.netlify.com/sites/jestjs/deploys/64d67b64b191e80008c66f96
😎 Deploy Preview https://deploy-preview-14401--jestjs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@SimenB
Copy link
Member

SimenB commented Aug 10, 2023
edited
Loading

The fixed semver is in semver range, so you don't need this update for your own projects.

That said, happy to upgrade to the new major here regardless. Could you run yarn, add a changelog entry and sign the CLA?

@karlnorling karlnorling force-pushed the sec/semver-CVE-2022-25883 branch 2 times, most recently from 7bbe8ce to ddf8a7f Compare August 10, 2023 14:37
@karlnorling
Copy link
Contributor Author

@SimenB I've added Changelog message and signed the EasyCLA (10 times now), but it doesn't seem to update.

Then there seems to be a timeout test error https://github.com/jestjs/jest/actions/runs/5822710774/job/15788003352?pr=14401#step:7:121

@karlnorling
Dependency update for jest-reporters, addressing CVE-2022-25883
94c1216 
 - istanbul-lib-instrument updated from 5.10.0 to 6.0.0
   - istanbul-lib-instrument dropping support for node 10
   - fixing semver vuln. CVE-2022-25883
@karlnorling
Copy link
Contributor Author

@SimenB I've squashed changes. CLA is sloved.

SimenB
SimenB approved these changes Aug 11, 2023
View reviewed changes
Copy link
Member

@SimenB SimenB left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@SimenB SimenB merged commit 25a8785 into jestjs:main Aug 12, 2023
89 checks passed
@mrazauskas mrazauskas mentioned this pull request Aug 13, 2023
Closed
@karlnorling karlnorling deleted the sec/semver-CVE-2022-25883 branch August 14, 2023 08:39
@SimenB
Copy link
Member

SimenB commented Aug 21, 2023

https://github.com/jestjs/jest/releases/tag/v29.6.3

This was referenced Aug 26, 2023
Closed
Closed
This was referenced Aug 28, 2023
Draft
Draft
Draft
Draft
Closed
@github-actions
Copy link

This pull request has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
Please note this issue tracker is not a help forum. We recommend using StackOverflow or our discord channel for questions.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 21, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@SimenB SimenB SimenB approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@karlnorling @SimenB