Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump simple-git to 3.3.0 to fix high severity issue #18104

Merged
merged 5 commits into from
Mar 12, 2022
Merged

Bump simple-git to 3.3.0 to fix high severity issue #18104

merged 5 commits into from
Mar 12, 2022

Conversation

mraible
Copy link
Contributor

@mraible mraible commented Mar 12, 2022
edited

I saw our vulnerabilities badge has two issues listed on https://snyk.io/test/npm/generator-jhipster. This fixed the first one. Other updates:

 aws-sdk                      2.1087.0  →  2.1092.0
 axios                          0.26.0  →    0.26.1
 prettier-plugin-packagejson    2.2.15  →    2.2.16
 eslint                         8.10.0  →    8.11.0
 eslint-plugin-chai-friendly    ^0.7.1  →     0.7.2
 mocha                           9.2.1  →     9.2.2

I did not update chalk because chalk 5 is a breaking change.

After these changes, npm audit shows:

# npm audit report

ansi-regex  >2.1.1 <5.0.1
Severity: moderate
 Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
fix available via `npm audit fix --force`
Will install insight@0.8.4, which is a breaking change
node_modules/inquirer/node_modules/ansi-regex
node_modules/string-width/node_modules/ansi-regex
  strip-ansi  4.0.0 - 5.2.0
  Depends on vulnerable versions of ansi-regex
  node_modules/inquirer/node_modules/strip-ansi
  node_modules/string-width/node_modules/strip-ansi
    inquirer  3.2.0 - 7.0.4
    Depends on vulnerable versions of string-width
    Depends on vulnerable versions of strip-ansi
    node_modules/inquirer
      insight  >=0.9.0
      Depends on vulnerable versions of inquirer
      node_modules/insight
    string-width  2.1.0 - 4.1.0
    Depends on vulnerable versions of strip-ansi
    node_modules/string-width

5 moderate severity vulnerabilities

Please make sure the below checklist is followed for Pull Requests.

When you are still working on the PR, consider converting it to Draft (below reviewers) and adding skip-ci label, you can still see CI build result at your branch.

@github-actions github-actions bot added the theme: dependencies Pull requests that update a dependency file label Mar 12, 2022
@mraible mraible merged commit 173bf19 into main Mar 12, 2022
@mraible mraible deleted the fix-vulnerabilities branch March 12, 2022 21:51
@pascalgrimaud pascalgrimaud added this to the 7.8.0 milestone Mar 27, 2022
ko5tik pushed a commit to ko5tik/generator-jhipster that referenced this pull request May 21, 2022
@ko5tik
Bump simple-git to 3.3.0 to fix high severity issue (jhipster#18104)
af70d55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
theme: dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
7.8.0
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@mraible @pascalgrimaud