Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Fix for 1 vulnerable dependency path #299

Merged
merged 2 commits into from Feb 1, 2017

Conversation

@snyk-bot
Copy link
Contributor

commented Nov 21, 2016

This pull request fixes one or more vulnerable packages in the npm dependencies of this project. See the Snyk test report for this project for details.

The PR includes:

  • Changes to your package.json to upgrade the vulnerable dependencies to a fixed version.

Vulnerabilities that will be fixed

With an upgrade:

You can read more about Snyk's upgrade and patch logic in Snyk's documentation.

Check the changes in this PR to ensure they won't cause issues with your project.

Stay secure,
The Snyk team

snyk-bot and others added 2 commits Nov 21, 2016
@m-mcgowan

This comment has been minimized.

Copy link
Contributor

commented Jan 24, 2017

anyone else have any concerns merging this? My feeling is that we leave it:

  • the contributor has not signed the CLA,
  • it may be a breaking change which we need to spend time testing,
  • the vulnerability is DoS on the server. I don't think the user of the CLI would pose much risk here.

That's my initial thoughts, which are not strongly held opinions.

@kennethlimcp

This comment has been minimized.

Copy link
Contributor

commented Jan 24, 2017

@m-mcgowan isn't this an automated bot submitting PR for dependency issues? :)

@snyk-bot

This comment has been minimized.

Copy link
Contributor Author

commented Jan 24, 2017

@m-mcgowan @kennethlimcp We opened this PR because the version of glob in your package.json uses a vulnerable version of minimatch.

As this is a major version release update to glob, please do verify that this does not break anything before merging this.

We've now signed the CLA, and we can confirm that we are not a bot! This message was written by @joshje and @EvKissle 😄

@m-mcgowan m-mcgowan changed the base branch from master to develop Feb 1, 2017

@m-mcgowan m-mcgowan merged commit 64b8e1c into develop Feb 1, 2017

4 checks passed

continuous-integration/appveyor/branch AppVeyor build succeeded
Details
continuous-integration/appveyor/pr AppVeyor build succeeded
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
continuous-integration/travis-ci/push The Travis CI build passed
Details
@m-mcgowan

This comment has been minimized.

Copy link
Contributor

commented Feb 1, 2017

Tested using particle config list which internally uses glob in the same way the compile include/exclude does.

Acceptance tests includes a compile with include file, which also uses globs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.