Skip to content

chore!: Fix dependency vulnerabilities discovered by Snyk #244

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
gregsinclair42 wants to merge 3 commits into from
Closed

chore!: Fix dependency vulnerabilities discovered by Snyk #244

gregsinclair42 wants to merge 3 commits into from

Conversation

@gregsinclair42
Copy link

@gregsinclair42 gregsinclair42 commented Aug 21, 2023
edited
Loading

This is a small PR that fixes a few high and critical dependency vulnerabilities discovered by Snyk:

                                                                                                                                    
Testing https://github.com/gulpjs/gulp-cli...                                                                                       
                                                                                                                                    
✗ High severity vulnerability found in unset-value                                                                                  
  Description: Prototype Pollution                                                                                                  
  Info: https://security.snyk.io/vuln/SNYK-JS-UNSETVALUE-2400660                                                                    
  Introduced through: matchdep@2.0.0, liftoff@3.1.0                                                                                 
  From: matchdep@2.0.0 > micromatch@3.1.10 > snapdragon@0.8.2 > base@0.11.2 > cache-base@1.0.1 > unset-value@1.0.0                  
  From: matchdep@2.0.0 > micromatch@3.1.10 > braces@2.3.2 > snapdragon@0.8.2 > base@0.11.2 > cache-base@1.0.1 > unset-value@1.0.0   
  From: matchdep@2.0.0 > micromatch@3.1.10 > extglob@2.0.4 > snapdragon@0.8.2 > base@0.11.2 > cache-base@1.0.1 > unset-value@1.0.0  
  and 12 more...                                                                                                                    
                                                                                                                                    
✗ High severity vulnerability found in ansi-regex                                                                                   
  Description: Regular Expression Denial of Service (ReDoS)                                                                         
  Info: https://security.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908                                                                     
  Introduced through: yargs@7.1.2                                                                                                   
  From: yargs@7.1.2 > string-width@1.0.2 > strip-ansi@3.0.1 > ansi-regex@2.1.1                                                      
  From: yargs@7.1.2 > cliui@3.2.0 > strip-ansi@3.0.1 > ansi-regex@2.1.1                                                             
  From: yargs@7.1.2 > cliui@3.2.0 > string-width@1.0.2 > strip-ansi@3.0.1 > ansi-regex@2.1.1                                        
  and 2 more...               ```

The fix requires overriding some transitive dependencies, upgrading yargs, and adding the correct version of ansi-regex as a main dependency rather than a transitive dependency.

@gregsinclair42 gregsinclair42 mentioned this pull request Aug 21, 2023
Closed
@phated
Copy link
Member

phated commented Aug 21, 2023

These will be updated with our other updates that are being batched in preparation of gulp 5. See #239

@phated phated closed this Aug 21, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@gregsinclair42 @phated