Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump dependencies #190

Merged
merged 1 commit into from Mar 27, 2020
Merged

Bump dependencies #190

merged 1 commit into from Mar 27, 2020

Conversation

DarthHater
Copy link
Member

@DarthHater DarthHater commented Mar 27, 2020
edited

This PR bumps yargs to 15.13.1 or greater, given an upstream update to yargs-parser which was vulnerable to prototype pollution.

Our exposure to minimist 0.0.8 is via node-persist and through mkdirp. I've filed an issue with node-persist suggesting a change that would fix the issue (quit using mkdirp, you can create a directory recursively with node natively as of 10.12 now). Issue is here: simonlast/node-persist#123

This pull request makes the following changes:

  • Updates yargs version range

It relates to the following issue #s:

cc @bhamail / @DarthHater / @allenhsieh / @ken-duck

ButterB0wl
ButterB0wl approved these changes Mar 27, 2020
View reviewed changes
Copy link
Contributor

@ButterB0wl ButterB0wl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested and it got rid of yargs-parser just fine.

Minimist 0.0.8 is still in there as a prod dependency of node-persist:

ajurgenson@ArtieSonaDell:~/git_repos/auditjs$ npm ls minimist --production
auditjs@4.0.13 /home/ajurgenson/git_repos/auditjs
└─┬ node-persist@3.0.5
└─┬ mkdirp@0.5.1
└── minimist@0.0.8

@DarthHater filed in issue with node-persist here: simonlast/node-persist#123

Will see how responsive that team is and if not explore alternatives to remove the minimist vuln.

@ButterB0wl ButterB0wl merged commit 69598e5 into master Mar 27, 2020
@DarthHater DarthHater deleted the DependencyBumps branch March 27, 2020 20:08
DarthHater pushed a commit that referenced this pull request Mar 27, 2020
chore(release): 4.0.14 [skip ci]
0c6b4b6 
## [4.0.14](v4.0.13...v4.0.14) (2020-03-27)

### Bug Fixes

* Bump yargs due to yargs/yargs-parser#258 ([#190](#190)) ([69598e5](69598e5))
@DarthHater
Copy link
Member Author

🎉 This PR is included in version 4.0.14 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ButterB0wl ButterB0wl ButterB0wl approved these changes

@allenhsieh allenhsieh Awaiting requested review from allenhsieh

@bhamail bhamail Awaiting requested review from bhamail

Assignees
No one assigned
Labels
released
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@DarthHater @ButterB0wl