Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: mitigate security advisory 886 #198

Closed
wants to merge 2 commits into from
Closed

chore: mitigate security advisory 886 #198

wants to merge 2 commits into from

Conversation

hughrawlinson
Copy link

@hughrawlinson hughrawlinson commented May 22, 2019
edited

node-gyp@3.8.0 uses fstream@1.0.11, which has this advisory: https://www.npmjs.com/advisories/886

node-gyp@4.0.0 resolved that vulnerability by removing dependencies on fstream.

I also bumped npm-lifecycle@2.1.0 to 2.1.1, which does the same as above.

The tests don't pass locally, but I'm hoping the reasons why become more clear by running on CI, so that I can resolve them.

Please feel free to close this if it doesn't make sense for some reason I haven't thought of (or of course for any other reason). Thank you all for all you do! 馃槃

@hughrawlinson
chore: update node-gyp to mitigate a security advisory
387af97 
node-gyp@3.8.0 uses fstream@1.0.11, which has this advisory: https://www.npmjs.com/advisories/886

node-gyp@4.0.0 uses fstream@1.0.12, which has resolved the issue
@hughrawlinson hughrawlinson requested a review from a team as a code owner May 22, 2019 13:05
@hughrawlinson
(chore) bump npm-lifecycle
655bc7b 
npm-lifecycle@2.1.0 also depends on node-gyp@3.8.0.

Bumping to npm-lifecycle@2.1.1 addresses the issue
@hughrawlinson hughrawlinson changed the title chore: update node-gyp to mitigate a security advisory chore: mitigate security advisory 886 May 22, 2019
@daviwil daviwil mentioned this pull request May 26, 2019
Closed
@valdemon valdemon mentioned this pull request May 27, 2019
Open
@joaogarin joaogarin mentioned this pull request May 29, 2019
Closed
@brettz9
Copy link
Contributor

brettz9 commented Jun 10, 2019
edited

Would be great to get this looked at, as npm audit is listing 12 high risk advisories resulting from these two packages (none of which is npm audit fix working to fix)...

@Haprog Haprog mentioned this pull request Jun 18, 2019
Merged
@gobengo gobengo mentioned this pull request Jun 23, 2019
Closed
3 tasks
@isaacs
Copy link
Contributor

isaacs commented Jun 26, 2019

Bumping to node-gyp v4 will take some more refactoring, but the fstream vuln will be fixed in the next release. Thanks!

@isaacs isaacs closed this Jun 26, 2019
@hughrawlinson hughrawlinson deleted the bump-node-gyp branch June 27, 2019 16:58
@gutwrinch gutwrinch mentioned this pull request Oct 19, 2023
Merged
@bumplzz69 bumplzz69 mentioned this pull request Nov 30, 2023
Open
@Bhanditz Bhanditz mentioned this pull request Nov 30, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@hughrawlinson @brettz9 @isaacs