Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix security vulnerabilities for latest 3.6.6 release #1906

Closed
wants to merge 4 commits into from
Closed

Fix security vulnerabilities for latest 3.6.6 release #1906

wants to merge 4 commits into from

Conversation

sseide
Copy link

@sseide sseide commented Apr 16, 2021

Q A
Bug fix? yes
New feature? no
Breaking change? no
Deprecations? no
Tests added? no
Fixed issues see CVE list below
License Apache-2.0

These commits fixes multiple security vulnerabilities with the latest stable release of JSDoc. It would be really helpful to get a a new bugfix release for the 3.6 line with these security vulnerabilities adressed.

For PROD dependencies:

  • underscore: CVE-2021-23358
  • marked: Regular Expression Denial of Service (ReDoS ) CWE-400 (Uncontrolled Resource Consumption)
    update to a 1.x version not possible as these have multiple other vulnerabilities

For DEV dependencies - i know they are not exported for other projects using this, but as the package-lock.json is commited into this repository for all others to use the same version i updated them to safe version too (minor bugfix releases only):

I did rin the test cases and tested it with our own projects to generate documentation and found no problems. For the smaller underscore update there should not be any problem, the update for marked has a new major release 0.8 -> 2.0 but it seems to work so far without any code changes needed.

@matz3 matz3 mentioned this pull request Apr 19, 2021
Closed
@seintun seintun mentioned this pull request Apr 23, 2021
Closed
@seintun

This comment has been minimized.

Sign in to view
@MrShoenel

This comment has been minimized.

Sign in to view
@daron1337 daron1337 mentioned this pull request May 7, 2021
Closed
@tuxcanfly tuxcanfly mentioned this pull request May 8, 2021
Open
@dbanksdesign

This comment has been minimized.

Sign in to view
akien-mga added a commit to akien-mga/godot that referenced this pull request May 12, 2021
@akien-mga
CI: Update JavaScript linter deps with known security vulnerabilities
e743b6b 
jsdoc has no new release so I'm tracking this PR:
jsdoc/jsdoc#1906
@akien-mga akien-mga mentioned this pull request May 12, 2021
Merged
akien-mga added a commit to godotengine/godot that referenced this pull request May 13, 2021
@akien-mga
CI: Update JavaScript linter deps with known security vulnerabilities
746b9b0 
jsdoc has no new release so I'm tracking this PR:
jsdoc/jsdoc#1906

(cherry picked from commit e743b6b)
akien-mga added a commit to godotengine/godot that referenced this pull request May 13, 2021
@akien-mga
CI: Update JavaScript linter deps with known security vulnerabilities
cb43802 
jsdoc has no new release so I'm tracking this PR:
jsdoc/jsdoc#1906

(cherry picked from commit e743b6b)
@hegemonic
Copy link
Contributor

Superceded by f7a64bd. JSDoc 3.6.7 is now available with updated dependencies.

@hegemonic hegemonic closed this May 15, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@carvalholeo carvalholeo carvalholeo approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@sseide @seintun @MrShoenel @dbanksdesign @hegemonic @carvalholeo