Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update minimatch to version 3.0.5. The current version has a security vulnerability #2163

Closed
1 task
Siafu opened this issue May 23, 2022 · 1 comment · Fixed by #2171
Closed
1 task

Update minimatch to version 3.0.5. The current version has a security vulnerability #2163

Siafu opened this issue May 23, 2022 · 1 comment · Fixed by #2171
Assignees
@P0lip
Labels
chore released

Comments

@Siafu
Copy link

Siafu commented May 23, 2022

Chore summary
Update minimatch to version 3.0.5 for official Docker release.

minimatch contains a flaw in the braceExpand() function in minimatch.js that is triggered as an improper regular expression is used to match patterns for brace expansion. This may allow a context-dependent attacker to hang or slow down a Node process using the library.

Tasks

  • Add resolution to package.json
"resolutions": {
    "minimatch": "^3.0.5"
  }
@Siafu Siafu added the chore label May 23, 2022
@P0lip P0lip mentioned this issue May 31, 2022
Merged
4 tasks
@P0lip P0lip self-assigned this May 31, 2022
@stoplight-bot
Copy link
Collaborator

🎉 This issue has been resolved in version @stoplight/spectral-core-v1.12.3 🎉

The release is available on npm package (@latest dist-tag)

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@P0lip P0lip

Labels
chore released
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore(core): bump minimatch from 3.0.4 to 3.1.2 stoplightio/spectral
3 participants
@Siafu @P0lip @stoplight-bot