Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix for CVE-2021-23425 #3

Merged
merged 2 commits into from Sep 17, 2021
Merged

fix for CVE-2021-23425 #3

merged 2 commits into from Sep 17, 2021

Conversation

Trott
Copy link
Collaborator

@Trott Trott commented Sep 4, 2021

@stevemao I know it's been over 6 years since anything happened with this repository/package, but it would be great if you could merge this and publish a new version.

Copy link

@cchampou cchampou left a comment

Tested locally and works fine 💯

@aixellent
Copy link

@aixellent aixellent commented Sep 9, 2021

@stevemao can you merge that please? :)

Divlo
Divlo approved these changes Sep 9, 2021
@Samarium150 Samarium150 mentioned this pull request Sep 13, 2021
@Trott
Copy link
Collaborator Author

@Trott Trott commented Sep 13, 2021

For people arriving here looking for a solution in the absence of a new release: If you remove node_modules and package-lock.json and then run npm install, you might fix the Snyk/GitHub interface warning.

Explanation: For a lot of people, this is coming from conventional-commits-parser 3.2.1 or older. (This would not typically be a direct dependency. It would be a dependency of another package, such as semantic-release.) conventional-commits-parser 3.2.2 removed trim-off-newlines as a dependency, thus fixing this issue for that package. Ref: conventional-changelog/conventional-changelog#841

If you depend on trim-off-newlines from something else, then this solution may not work. But I suspect this is where most people's issues are coming from.

@hadasbloom
Copy link

@hadasbloom hadasbloom commented Sep 22, 2021

@stevemao I tried contacting you via email regarding this issue a couple of times (maybe went to your spam). I believe this is an incomplete fix for this CVE, if you could take a look at my email that would be great. Thanks!

Hadas from the Snyk Security Team

@Trott
Copy link
Collaborator Author

@Trott Trott commented Sep 23, 2021

@hadasbloom If you're comfortable sharing the information with me, my email is in my GitHub profile.

@Trott
Copy link
Collaborator Author

@Trott Trott commented Sep 23, 2021

@hadasbloom If you're comfortable sharing the information with me, my email is in my GitHub profile.

Actually, I think I found the problem that you likely identified. I'll test a bit more and if I'm Not Wrong About That, I'll get a PR in to fix it soon.

@Trott
Copy link
Collaborator Author

@Trott Trott commented Sep 23, 2021

@hadasbloom Please take a look at #4

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

8 participants