Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG]: Upgrade universal-github-app-jwt 1.1.2 to close CVE-2022-25883 #561

Closed
1 task done
nitrocode opened this issue Jan 4, 2024 · 5 comments · Fixed by #562
Closed
1 task done

[BUG]: Upgrade universal-github-app-jwt 1.1.2 to close CVE-2022-25883 #561

nitrocode opened this issue Jan 4, 2024 · 5 comments · Fixed by #562
Labels
released Status: Up for grabs Issues that are ready to be worked on by anyone Type: Bug Something isn't working as documented, or is being fixed

Comments

@nitrocode
Copy link
Contributor

nitrocode commented Jan 4, 2024
edited
Loading

What happened?

See

Once the PR is merged, 1.1.2 will be available to upgrade to, and I'll submit a PR in this repo. This issue is just so I remember to do it (unless someone beats me to it).

Versions

v6.0.2

Relevant log output

No upgrade or patch available
  ✗ Regular Expression Denial of Service (ReDoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795] in semver@7.3.5
    introduced by probot@12.3.3 > octokit-auth-probot@1.2.6 > @octokit/auth-app@3.6.1 > universal-github-app-jwt@1.1.1 > jsonwebtoken@9.0.0 > semver@7.3.8 and 4 other path(s)
  This issue was fixed in versions: 5.7.2, 6.3.1, 7.5.2

Code of Conduct

  • I agree to follow this project's Code of Conduct
@nitrocode nitrocode added Status: Triage This is being looked at and prioritized Type: Bug Something isn't working as documented, or is being fixed labels Jan 4, 2024
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jan 4, 2024

👋 Hi! Thank you for this contribution! Just to let you know, our GitHub SDK team does a round of issue and PR reviews twice a week, every Monday and Friday! We have a process in place for prioritizing and responding to your input. Because you are a part of this community please feel free to comment, add to, or pick up any issues/PRs that are labled with Status: Up for grabs. You & others like you are the reason all of this works! So thank you & happy coding! 🚀

@nickfloyd nickfloyd added the Status: Up for grabs Issues that are ready to be worked on by anyone label Jan 4, 2024
@wolfy1339 wolfy1339 removed the Status: Triage This is being looked at and prioritized label Jan 4, 2024
@wolfy1339
Copy link
Member

@nitrocode Hey! Are you still interested in taking this up?

@nitrocode nitrocode mentioned this issue Jan 9, 2024
Merged
@nitrocode
Copy link
Contributor Author

@wolfy1339 sure thing. I linked my PR.

@nitrocode
Copy link
Contributor Author

Once PR #562 is merged with a new release and your PR probot/probot#1874 is merged, then probot should have the vulnerability fully closed.

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jan 9, 2024

🎉 This issue has been resolved in version 6.0.3 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
released Status: Up for grabs Issues that are ready to be worked on by anyone Type: Bug Something isn't working as documented, or is being fixed
Projects
🧰 Octokit Active
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(dependencies): bump universal-github-app-jwt to 1.1.2 nitrocode/auth-app.js
3 participants
@nickfloyd @wolfy1339 @nitrocode