Skip to content

chore: mitigate security advisory 886 #198

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

chore: mitigate security advisory 886 #198

wants to merge 2 commits into from

Conversation

@hughrawlinson
Copy link

@hughrawlinson hughrawlinson commented May 22, 2019
edited
Loading

[email protected] uses [email protected], which has this advisory: https://www.npmjs.com/advisories/886

[email protected] resolved that vulnerability by removing dependencies on fstream.

I also bumped [email protected] to 2.1.1, which does the same as above.

The tests don't pass locally, but I'm hoping the reasons why become more clear by running on CI, so that I can resolve them.

Please feel free to close this if it doesn't make sense for some reason I haven't thought of (or of course for any other reason). Thank you all for all you do! 😄

@hughrawlinson hughrawlinson requested a review from a team as a code owner May 22, 2019 13:05
@hughrawlinson hughrawlinson changed the title chore: update node-gyp to mitigate a security advisory chore: mitigate security advisory 886 May 22, 2019
@daviwil daviwil mentioned this pull request May 26, 2019
Closed
@valdemon valdemon mentioned this pull request May 27, 2019
Open
@joaogarin joaogarin mentioned this pull request May 29, 2019
Closed
@brettz9
Copy link
Contributor

brettz9 commented Jun 10, 2019
edited
Loading

Would be great to get this looked at, as npm audit is listing 12 high risk advisories resulting from these two packages (none of which is npm audit fix working to fix)...

@Haprog Haprog mentioned this pull request Jun 18, 2019
Merged
@gobengo gobengo mentioned this pull request Jun 23, 2019
Closed
3 tasks
@isaacs
Copy link
Contributor

isaacs commented Jun 26, 2019

Bumping to node-gyp v4 will take some more refactoring, but the fstream vuln will be fixed in the next release. Thanks!

@isaacs isaacs closed this Jun 26, 2019
@hughrawlinson hughrawlinson deleted the bump-node-gyp branch June 27, 2019 16:58
@gutwrinch gutwrinch mentioned this pull request Oct 19, 2023
Merged
@bumplzz69 bumplzz69 mentioned this pull request Nov 30, 2023
Open
@Bhanditz Bhanditz mentioned this pull request Nov 30, 2023
Open
@snyk-io snyk-io bot mentioned this pull request Oct 21, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@hughrawlinson @brettz9 @isaacs