Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[stable23] npm audit fix #3640

Merged
merged 1 commit into from
Jan 5, 2023
Merged

[stable23] npm audit fix #3640

merged 1 commit into from
Jan 5, 2023

Conversation

juliusknorr
Copy link
Member

@juliusknorr juliusknorr commented Jan 4, 2023
edited
Loading

Making npm audit happy

Manually patching package-lock for using json5 1.0.2 in the following dependency tree:

json5 <1.0.2 || >=2.0.0 <2.2.2
Severity: high
Prototype Pollution in JSON5 via Parse Method - GHSA-9c47-m6qq-7p4h
Prototype Pollution in JSON5 via Parse Method - GHSA-9c47-m6qq-7p4h
fix available via npm audit fix --force
Will install vue-jest@4.0.1, which is a breaking change
node_modules/find-babel-config/node_modules/json5
node_modules/json5
node_modules/loader-utils/node_modules/json5
node_modules/tsconfig-paths/node_modules/json5
find-babel-config *
Depends on vulnerable versions of json5
node_modules/find-babel-config
vue-jest 1.0.0 - 3.0.7
Depends on vulnerable versions of find-babel-config
node_modules/vue-jest

The suggested fix did break the tests but the manual bump seems to work fine even with the breaking json5 version from 0.x to 1.x

@juliusknorr juliusknorr changed the base branch from master to stable23 January 4, 2023 13:51
@juliusknorr
chore(deps): npm audit fix
5a49157 
Signed-off-by: Julius Härtl <jus@bitgrid.net>
@juliusknorr juliusknorr requested review from a team, marcelklehr and max-nextcloud and removed request for a team January 5, 2023 06:40
@max-nextcloud max-nextcloud merged commit 8c08235 into stable23 Jan 5, 2023
@delete-merged-branch delete-merged-branch bot deleted the deps/npm-audit/stable23 branch January 5, 2023 08:44
@skjnldsv skjnldsv mentioned this pull request Feb 23, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@max-nextcloud max-nextcloud max-nextcloud approved these changes

@marcelklehr marcelklehr Awaiting requested review from marcelklehr marcelklehr was automatically assigned from nextcloud/office

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@juliusknorr @max-nextcloud