Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bump verdaccio #2373

Merged
merged 1 commit into from
Dec 30, 2024
Merged

bump verdaccio #2373

merged 1 commit into from
Dec 30, 2024

Conversation

rtpascual
Copy link
Contributor

Problem

Running npm audit we have a vulnerability from downstream dependency of verdaccio:

# npm audit report

path-to-regexp  <0.1.12
Severity: moderate
Unpatched `path-to-regexp` ReDoS in 0.1.x - https://github.com/advisories/GHSA-rhx6-c78j-4q9w
fix available via `npm audit fix`
node_modules/path-to-regexp
  express  4.0.0-rc1 - 4.21.1 || 5.0.0-alpha.1 - 5.0.0-beta.3
  Depends on vulnerable versions of path-to-regexp
  node_modules/express
    @verdaccio/middleware  <=8.0.0-next-8.6
    Depends on vulnerable versions of express
    node_modules/@verdaccio/middleware
      verdaccio  2.2.7-r - 2.7.2 || 3.0.0-alpha.1 - 6.0.4 || 7.0.0-next.0 - 8.0.0-next-8.6
      Depends on vulnerable versions of @verdaccio/middleware
      Depends on vulnerable versions of express
      Depends on vulnerable versions of verdaccio-audit
      node_modules/verdaccio
    verdaccio-audit  0.0.2 - 13.0.0-next-8.6
    Depends on vulnerable versions of express
    node_modules/verdaccio-audit

Issue number, if available:

Changes

Bump verdaccio to patched version.

Corresponding docs PR, if applicable:

Validation

After updating verdaccio to latest:

➜  amplify-backend git:(main) ✗ npm audit           
found 0 vulnerabilities

Checklist

  • If this PR includes a functional change to the runtime behavior of the code, I have added or updated automated test coverage for this change.
  • If this PR requires a change to the Project Architecture README, I have included that update in this PR.
  • If this PR requires a docs update, I have linked to that docs PR above.
  • If this PR modifies E2E tests, makes changes to resource provisioning, or makes SDK calls, I have run the PR checks with the run-e2e label set.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@rtpascual rtpascual requested a review from a team as a code owner December 27, 2024 18:46
@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Dec 27, 2024

⚠️ No Changeset found

Latest commit: 96925c8

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@sobolk sobolk merged commit 2e5562d into main Dec 30, 2024
48 checks passed
@sobolk sobolk deleted the bump-verdaccio branch December 30, 2024 17:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ShadowCat567 ShadowCat567 ShadowCat567 approved these changes

@Amplifiyer Amplifiyer Amplifiyer approved these changes

@sobolk sobolk sobolk approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@rtpascual @sobolk @Amplifiyer @ShadowCat567