Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: address prototype pollution issue #108

Merged
merged 1 commit into from Oct 25, 2020
Merged

fix: address prototype pollution issue #108

merged 1 commit into from Oct 25, 2020

Conversation

@bcoe
Copy link
Member

@bcoe bcoe commented Oct 25, 2020

@po6ix @joaogmauricio I appreciate the vulnerability report, I believe this addresses the problem (_let me know if you can confirm). Also let me know if you can think of any additional regression tests.


@JamieSlome, @alromh87, I like the idea of huntr, I'd rather have a company submit a patch than simply notify me of a CVE. #107 was just not inline with how I've been addressing this issue elsewhere in the yargs codebase.

CC: @ljharb
Fixes: #96

@ljharb
ljharb approved these changes Oct 25, 2020
@JamieSlome
Copy link

@JamieSlome JamieSlome commented Oct 25, 2020

@bcoe - that is great to hear - we'd love to work with you to get fixes into the repository in the future. Would you be available to discuss this further together?

@bcoe bcoe merged commit a9ac604 into master Oct 25, 2020
7 checks passed
7 checks passed
@github-actions
test (10.x)
Details
@github-actions
test (12.x)
Details
@github-actions
test (14.x)
Details
@github-actions
windows
Details
@github-actions
coverage
Details
@github-actions
deno deno
Details
@bcoe bcoe deleted the fix-96 branch Oct 25, 2020
@bcoe
Copy link
Member Author

@bcoe bcoe commented Oct 25, 2020

@JamieSlome happy to discuss more, email is a good place to start as I'm pretty full of meetings over the next few weeks.

@JamieSlome
Copy link

@JamieSlome JamieSlome commented Oct 26, 2020

@bcoe - I will shoot over an e-mail to you today!

@stof
Copy link

@stof stof commented Nov 19, 2020

@bcoe will this be backported in the older major version ?

  • webpack 4 depends on a version of cacache (through the terser-webpack-plugin) which uses y18n 4.x
  • webpack-dev-server and webpack-cli are using yargs 13 which uses y18n 4.x
  • gulp-cli is using yargs 7 which uses y18n 3.x
billyvg pushed a commit to getsentry/sentry that referenced this pull request Mar 30, 2021
Bumps [y18n](https://github.com/yargs/y18n) from 4.0.0 to 4.0.1.
- [Release notes](https://github.com/yargs/y18n/releases)
- [Changelog](https://github.com/yargs/y18n/blob/master/CHANGELOG.md)
- [Commits](https://github.com/yargs/y18n/commits)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

There's no changelog entry for this version, but based on the publish date of `4.0.1`, I think the release addresses this issue: yargs/y18n#108
@fungiboletus fungiboletus mentioned this pull request Mar 31, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

4 participants