Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(package): update sockjs-client v1.1.5...1.3.0 (url-parse vulnerability) #1537

Merged
merged 1 commit into from Oct 23, 2018

Conversation

sarbbottam
Copy link
Contributor

@sarbbottam sarbbottam commented Oct 23, 2018

  • This is a bugfix
  • This is a code refactor
  • This is a test update
  • This is a typo fix
  • This is a metadata update

For Bugs and Features; did you add new tests?

N/A - the bug is not in webpack-dev-server but a dependency.

Motivation / Use-Case

Incorrect parsing in url-parse <1.4.3 returns wrong hostname which leads to multiple vulnerabilities such as SSRF, Open Redirect, Bypass Authentication Protocol.
Please refer https://nvd.nist.gov/vuln/detail/CVE-2018-3774 for further details.

Breaking Changes

NA

Additional Info

NA

@jsf-clabot
Copy link

@jsf-clabot jsf-clabot commented Oct 23, 2018

CLA assistant check
All committers have signed the CLA.

@michael-ciniawsky michael-ciniawsky changed the title fix(url-parse): updated sockjs-client to address url-parse vulnerability fix(package): update sockjs-client v1.1.5...1.3.0 (url-parse vulnerability) Oct 23, 2018
@michael-ciniawsky michael-ciniawsky added this to the 3.1.10 milestone Oct 23, 2018
Copy link
Member

@michael-ciniawsky michael-ciniawsky left a comment

@codecov
Copy link

@codecov codecov bot commented Oct 23, 2018

Codecov Report

Merging #1537 into master will not change coverage.
The diff coverage is n/a.

Impacted file tree graph

@@           Coverage Diff           @@
##           master    #1537   +/-   ##
=======================================
  Coverage   74.02%   74.02%           
=======================================
  Files          10       10           
  Lines         666      666           
=======================================
  Hits          493      493           
  Misses        173      173

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update d2f4902...e0fdbb0. Read the comment docs.

@michael-ciniawsky michael-ciniawsky merged commit e719959 into webpack:master Oct 23, 2018
5 checks passed
@michael-ciniawsky
Copy link
Member

@michael-ciniawsky michael-ciniawsky commented Oct 23, 2018

Released in v3.1.10 🎉

@michael-ciniawsky michael-ciniawsky removed this from the 3.1.10 milestone Oct 23, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants