Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix many GitHub Security Advisory Warnings #26

Merged
merged 8 commits into from
Jan 31, 2020
Merged

Fix many GitHub Security Advisory Warnings #26

merged 8 commits into from
Jan 31, 2020

Conversation

karlhorky
Copy link
Contributor

Many transitive dependency packages are locked to versions with GitHub security advisories (you probably see them under the security tab of this repo).

This pull request (original work courtesy of @juliakaltenegger) fixes many of them.

The last unresolved issue is a problem with heml (more specifically, the @heml/elements package). @juliakaltenegger alerted the heml project of this here:

SparkPost/heml#92

dependabot bot and others added 8 commits November 9, 2019 12:44
@dependabot @karlhorky
Bump rgb2hex from 0.1.1 to 0.1.9
a66afb8 
Bumps [rgb2hex](https://github.com/christian-bromann/rgb2hex) from 0.1.1 to 0.1.9.
- [Release notes](https://github.com/christian-bromann/rgb2hex/releases)
- [Commits](https://github.com/christian-bromann/rgb2hex/commits/v0.1.9)

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot @karlhorky
Bump lodash.merge from 4.6.1 to 4.6.2
09a01a2 
Bumps [lodash.merge](https://github.com/lodash/lodash) from 4.6.1 to 4.6.2.
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](https://github.com/lodash/lodash/commits)

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot @karlhorky
Bump mixin-deep from 1.3.1 to 1.3.2
3e041d3 
Bumps [mixin-deep](https://github.com/jonschlinkert/mixin-deep) from 1.3.1 to 1.3.2.
- [Release notes](https://github.com/jonschlinkert/mixin-deep/releases)
- [Commits](jonschlinkert/mixin-deep@1.3.1...1.3.2)

Signed-off-by: dependabot[bot] <[email protected]>
@juliakaltenegger @karlhorky
Update lodash to newest version
3af0bda
@juliakaltenegger @karlhorky
Update to newest compatible version of reload to fix url-parse securi…
b117ce0 
…ty alert
@juliakaltenegger @karlhorky
Update union-value and set-value to solve security alerts
6f28231
@karlhorky
Remove Yarn resolutions again
45425c8
@karlhorky
Remove changes in package-lock.json
c69a1e3
@Jinksi Jinksi merged commit d6cda87 into Jinksi:master Jan 31, 2020
@Jinksi
Copy link
Owner

Jinksi commented Jan 31, 2020

Thanks @karlhorky 🙌

@karlhorky
Copy link
Contributor Author

No problem, credit to @juliakaltenegger too! Thanks for the merge!

@karlhorky
Copy link
Contributor Author

@Jinksi looks like in the meantime there are more security alerts:

Yarn

$ yarn audit

...

10 vulnerabilities found - Packages audited: 914383
Severity: 1 Low | 7 Moderate | 1 High | 1 Critical

npm

$ npm i --package-lock-only && npm audit

...

found 3 vulnerabilities (1 low, 1 moderate, 1 critical) in 924332 scanned packages

@karlhorky
Copy link
Contributor Author

karlhorky commented Jan 31, 2020
edited
Loading

The critical vulnerability comes from the heml dependency, which depends on vulnerable versions of open (also via the reload package).

Edit: I did a pull request for heml here: SparkPost/heml#98

This was referenced Jan 31, 2020
Open
Merged
@karlhorky
Copy link
Contributor Author

@Jinksi ok I've opened #28 to fix the rest of the vulnerabilities (except for the issues in heml, which will be resolved in SparkPost/heml#98)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@karlhorky @Jinksi @juliakaltenegger