Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: vuln in transitive pkg of configstore (dot-prop) #990

Merged
merged 2 commits into from
Jan 31, 2020
Merged

fix: vuln in transitive pkg of configstore (dot-prop) #990

merged 2 commits into from
Jan 31, 2020

Conversation

jjmschofield
Copy link
Contributor

@jjmschofield jjmschofield commented Jan 31, 2020
edited by lili2311

  • Ready for review
  • Follows CONTRIBUTING rules
  • Reviewed by Snyk internal team

What does this PR do?

Replaces configstore to a fork from snyk which patches version 3.1.2 to use the latest version of dot-prop.

What this commit contains:

  • removing direct deps update-notifier and configstore
  • replace them with forked and published versions under @snyk scope @snyk/configstore @snyk/update-notifier
  • Each of the new deps has their version of dot-prop raised to 5.2.0

@jjmschofield jjmschofield requested a review from a team as a code owner January 31, 2020 13:31
@ghost ghost requested review from dkontorovskyy and orsagie January 31, 2020 13:31
@jjmschofield jjmschofield changed the title fix: switch config store 3.1.2 to a fork with latest version of dot-prop fix: vuln in transitive pkg of configstore (dot-prop) Jan 31, 2020
@jjmschofield
fix: use @snyk/configstore instead of configstore
93845d9 
Using a forked version of configstore to fix a a prototype pollution in its dependency dot-prop present in versions < 5.1.0
@jjmschofield @lili2311
fix: use @snyk/update-notifier instead of update-notifier
b74bbe2 
Using a forked version of update-notifier to fix a
prototype pollution in its dependency dot-prop present
in versions < 5.1.0
@lili2311 lili2311 merged commit bc4074a into master Jan 31, 2020
@lili2311 lili2311 deleted the fix/dot-prop-vuln-update branch January 31, 2020 17:01
@snyksec
Copy link

snyksec commented Jan 31, 2020

🎉 This PR is included in version 1.290.1 🎉

The release is available on:

Your semantic-release bot 📦🚀

@orkamara orkamara mentioned this pull request Feb 2, 2020
Merged
1 task
@FauxFaux FauxFaux mentioned this pull request May 15, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lili2311 lili2311 lili2311 approved these changes

@dkontorovskyy dkontorovskyy Awaiting requested review from dkontorovskyy

@orsagie orsagie Awaiting requested review from orsagie

Assignees

@jjmschofield jjmschofield

Labels
released
Projects
None yet
Milestone
No milestone
3 participants
@jjmschofield @snyksec @lili2311