Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependabot alerts: npm audit fix #220

Merged
merged 1 commit into from
Apr 4, 2022
Merged

Dependabot alerts: npm audit fix #220

merged 1 commit into from
Apr 4, 2022

Conversation

Zsar
Copy link

@Zsar Zsar commented Mar 28, 2022
edited
Loading

Description

Fixes:

  • Improper Verification of Cryptographic Signature in node-forge
  • json-schema is vulnerable to Prototype Pollution
  • Open Redirect in node-forge
  • Prototype Pollution in minimist

Recommend releasing bugfix version, as some of these are Critical(TM).

FWIW: npm disagreed with Dependabot's assertion that breaking changes be required - this is a plain npm audit fix. Updating webpack-dev-server as advised did not result in further fixes (and thence is not included).
... Hopefully npm got it right and Dependabot is wrong.

Type of change

  • Bug fix (non-breaking change which fixes an issue)

Checklist:

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes
  • Any dependent changes have been merged and published in downstream modules

Dependabot alerts: npm audit fix
294835c 
- Improper Verification of Cryptographic Signature in `node-forge`
- json-schema is vulnerable to Prototype Pollution
- Open Redirect in node-forge
- Prototype Pollution in minimist
@Zsar Zsar added the dependencies Pull requests that update a dependency file label Mar 28, 2022
@Zsar Zsar mentioned this pull request Mar 31, 2022
Closed
@Zsar Zsar merged commit 0288097 into telekom:master Apr 4, 2022
@Zsar Zsar deleted the bugfix/dependabot-2022-03-28-audit branch April 4, 2022 09:37
@martingrossmann martingrossmann added this to the 1.13 milestone Jun 22, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@martingrossmann martingrossmann martingrossmann approved these changes

@mbeuthan mbeuthan mbeuthan approved these changes

@mreiche mreiche Awaiting requested review from mreiche mreiche is a code owner

@gogro gogro Awaiting requested review from gogro

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
1.13
Development

Successfully merging this pull request may close these issues.
3 participants
@Zsar @martingrossmann @mbeuthan