Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump chokidar & juice to resolve a security vulnerability #1629

Merged
merged 4 commits into from
Jun 26, 2019
Merged

Bump chokidar & juice to resolve a security vulnerability #1629

merged 4 commits into from
Jun 26, 2019

Conversation

schmod
Copy link
Contributor

@schmod schmod commented Jun 25, 2019

Small PR to bump two dependencies that have transitive dependencies with vulnerabilities (as found by snyk):

✗ High severity vulnerability found in set-value
  Description: Prototype Pollution
  Info: https://snyk.io/vuln/SNYK-JS-SETVALUE-450213
  Introduced through: mjml@4.4.0-beta.2
  From: mjml@4.4.0-beta.2 > mjml-cli@4.4.0-beta.2 > chokidar@2.1.6 > braces@2.3.2 > snapdragon@0.8.2 > base@0.11.2 > cache-base@1.0.1 > set-value@2.0.0
  From: mjml@4.4.0-beta.2 > mjml-cli@4.4.0-beta.2 > chokidar@2.1.6 > readdirp@2.2.1 > micromatch@3.1.10 > snapdragon@0.8.2 > base@0.11.2 > cache-base@1.0.1 > set-value@2.0.0
  From: mjml@4.4.0-beta.2 > mjml-cli@4.4.0-beta.2 > chokidar@2.1.6 > anymatch@2.0.0 > micromatch@3.1.10 > snapdragon@0.8.2 > base@0.11.2 > cache-base@1.0.1 > set-value@2.0.0
  and 19 more...

✗ High severity vulnerability found in mixin-deep
  Description: Prototype Pollution
  Info: https://snyk.io/vuln/SNYK-JS-MIXINDEEP-450212
  Introduced through: mjml@4.4.0-beta.2
  From: mjml@4.4.0-beta.2 > mjml-cli@4.4.0-beta.2 > chokidar@2.1.6 > braces@2.3.2 > snapdragon@0.8.2 > base@0.11.2 > mixin-deep@1.3.1
  From: mjml@4.4.0-beta.2 > mjml-cli@4.4.0-beta.2 > chokidar@2.1.6 > readdirp@2.2.1 > micromatch@3.1.10 > snapdragon@0.8.2 > base@0.11.2 > mixin-deep@1.3.1
  From: mjml@4.4.0-beta.2 > mjml-cli@4.4.0-beta.2 > chokidar@2.1.6 > anymatch@2.0.0 > micromatch@3.1.10 > snapdragon@0.8.2 > base@0.11.2 > mixin-deep@1.3.1
  and 8 more...

✗ High severity vulnerability found in lodash.merge
  Description: Prototype Pollution
  Info: https://snyk.io/vuln/SNYK-JS-LODASHMERGE-173732
  Introduced through: mjml@4.4.0-beta.2
  From: mjml@4.4.0-beta.2 > mjml-core@4.4.0-beta.2 > juice@4.3.2 > cheerio@0.22.0 > lodash.merge@4.6.1
  From: mjml@4.4.0-beta.2 > mjml-head-title@4.4.0-beta.2 > mjml-core@4.4.0-beta.2 > juice@4.3.2 > cheerio@0.22.0 > lodash.merge@4.6.1
  From: mjml@4.4.0-beta.2 > mjml-button@4.4.0-beta.2 > mjml-core@4.4.0-beta.2 > juice@4.3.2 > cheerio@0.22.0 > lodash.merge@4.6.1
  and 26 more...

bump chokidar and juice to current release
6dded94 
addresses a few security vulnerabilities
@iRyusa
Copy link
Member

iRyusa commented Jun 25, 2019

I'm not sure that the very light small test suite is able to provide any feedback on support to node 12 yet.

For the version bump I think we can just merge this directly cc @kmcb777

@iRyusa iRyusa self-requested a review June 25, 2019 19:50
@schmod
Copy link
Contributor Author

schmod commented Jun 25, 2019

Yeah. I basically just listed all of the Node versions that are still within their support/maintenance window. Given that the tests currently pass, it seems like a reasonable start 🤷‍♂

@kmcb777 kmcb777 merged commit c8e104e into mjmlio:next Jun 26, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@iRyusa iRyusa iRyusa approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@schmod @iRyusa @kmcb777