Skip to content

Commit

Permalink
SEC-900: Upgrade nodemon to use fixed minimatch (#2716)
Browse files Browse the repository at this point in the history 
For website rendering nodemon@2.0.19 was used, which depends on
vulnerable minimatch@3.0.4 (CVE-2022-3517). Even though it seems
unlikely that it might affect the MusicBrainz website, upgrading to
nodemon@2.0.20 makes it use the fixed minimatch@3.1.2 instead.

Note: Other dependencies to minimatch@3.0.4 are used in a development
context only (even glob@7.0.0 via @babel/cli@7.14.8 and shelljs@0.8.5).
  • Loading branch information
@yvanzo
yvanzo committed Nov 8, 2022
1 parent a7d7192 commit ca2b138
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 6 deletions.
2 changes: 1 addition & 1 deletion package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@
"less-plugin-clean-css": "1.5.1",
"leven": "2.0.0",
"mutate-cow": "4.1.1",
"nodemon": "2.0.19",
"nodemon": "2.0.20",
"pg": "8.3.3",
"pg-cursor": "2.3.3",
"po2json": "0.4.1",
Expand Down
17 changes: 12 additions & 5 deletions yarn.lock
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4029,6 +4029,13 @@ minimatch@^3.0.4:
dependencies:
brace-expansion "^1.1.7"

minimatch@^3.1.2:
version "3.1.2"
resolved "https://registry.yarnpkg.com/minimatch/-/minimatch-3.1.2.tgz#19cd194bfd3e428f049a70817c038d89ab4be35b"
integrity sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==
dependencies:
brace-expansion "^1.1.7"

minimist@1.2.0:
version "1.2.0"
resolved "https://registry.yarnpkg.com/minimist/-/minimist-1.2.0.tgz#a35008b20f41383eec1fb914f4cd5df79a264284"
Expand Down Expand Up @@ -4139,15 +4146,15 @@ node-releases@^1.1.73:
resolved "https://registry.yarnpkg.com/node-releases/-/node-releases-1.1.74.tgz#e5866488080ebaa70a93b91144ccde06f3c3463e"
integrity sha512-caJBVempXZPepZoZAPCWRTNxYQ+xtG/KAi4ozTA5A+nJ7IU+kLQCbqaUjb5Rwy14M9upBWiQ4NutcmW04LJSRw==

nodemon@2.0.19:
version "2.0.19"
resolved "https://registry.yarnpkg.com/nodemon/-/nodemon-2.0.19.tgz#cac175f74b9cb8b57e770d47841995eebe4488bd"
integrity sha512-4pv1f2bMDj0Eeg/MhGqxrtveeQ5/G/UVe9iO6uTZzjnRluSA4PVWf8CW99LUPwGB3eNIA7zUFoP77YuI7hOc0A==
nodemon@2.0.20:
version "2.0.20"
resolved "https://registry.yarnpkg.com/nodemon/-/nodemon-2.0.20.tgz#e3537de768a492e8d74da5c5813cb0c7486fc701"
integrity sha512-Km2mWHKKY5GzRg6i1j5OxOHQtuvVsgskLfigG25yTtbyfRGn/GNvIbRyOf1PSCKJ2aT/58TiuUsuOU5UToVViw==
dependencies:
chokidar "^3.5.2"
debug "^3.2.7"
ignore-by-default "^1.0.1"
minimatch "^3.0.4"
minimatch "^3.1.2"
pstree.remy "^1.1.8"
semver "^5.7.1"
simple-update-notifier "^1.0.7"
Expand Down

0 comments on commit ca2b138

Please sign in to comment.