Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

security(deps): bump filenamify-url to 2.1.1 #393

Merged
merged 1 commit into from
Jun 14, 2021
Merged

security(deps): bump filenamify-url to 2.1.1 #393

merged 1 commit into from
Jun 14, 2021

Conversation

AviVahl
Copy link
Contributor

@AviVahl AviVahl commented Jun 10, 2021

regenerated lock file from scratch to get back to 0 vulnerabilities

fixes:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ normalize-url                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.5.1 <5.0.0 || >=5.3.1 <6.0.0 || >=6.0.1                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gh-pages                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gh-pages > filenamify-url > humanize-url > normalize-url     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1755                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

regenerated lock file from scratch to get back to 0 vulnerabilities
Copy link

@TyMick TyMick left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For what it's worth, the only breaking change in filenamify-url v2 is that it requires Node.js 8, so no other code changes should be necessary. 👍🏼

@TyMick
Copy link

TyMick commented Jun 10, 2021

Though I'm not sure that regenerating the lockfile was necessary—npm install filenamify-url@2 probably would've been sufficient to upgrade normalize-url.

@AviVahl
Copy link
Contributor Author

AviVahl commented Jun 10, 2021

Though I'm not sure that regenerating the lockfile was necessary—npm install filenamify-url@2 probably would've been sufficient to upgrade normalize-url.

There were other audit failures from locked deps.

@emilbader
Copy link

Related issue: sindresorhus/filenamify-url#9
Related commit in humanize-url: sindresorhus/humanize-url@d013ec7

@AviVahl
Copy link
Contributor Author

AviVahl commented Jun 14, 2021

heya @tschaub, any chance you've got time to review this? :)

@tschaub tschaub merged commit a4c9eee into tschaub:main Jun 14, 2021
@tschaub
Copy link
Owner

tschaub commented Jun 14, 2021

Thanks, @AviVahl.

There are automated security updates configured for this repo, but they can take up to 7 days from the time of an alert. The alert for normalize-url was still only 6 days old.

@skratchdot
Copy link

I think this change broke our ci.

we clone our repo via something like:

[email protected]:org/repo.git

our ci job now fails during a gh-pages step with the following error:

Invalid URL: http:[email protected]:org/repo.git

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants