Skip to content

Conversation

XeR
Copy link
Contributor

@XeR XeR commented Aug 24, 2022

I do not know how to test that. At least it still builds :D

We still have @quasar/cli's dependencies, but those are too ancient to be upgraded it seems.

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │ Got allows a redirect to a UNIX socket                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ got                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=11.8.5                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @quasar/cli                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @quasar/cli > download-git-repo > download > got             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1080920                     │
└───────────────┴──────────────────────────────────────────────────────────────┘

@quasar/cli is in version 1.3.2 (up to date)
download-git-repo is in version 3.0.2 (up to date)
download is in version 7.1.0 (most recent 7.x release) ; most recent version does not fix the vulnerability
got is in version 8.3.1 but patch is in version 11.8.5

The only meaningful thing we can do is upgrade got to version 11.8.5, but I'm afraid the jump from version 8.3.1 might contain breaking change.

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │ Got allows a redirect to a UNIX socket                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ got                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=11.8.5                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @quasar/cli                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @quasar/cli > update-notifier > latest-version >             │
│               │ package-json > got                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1080920                     │
└───────────────┴──────────────────────────────────────────────────────────────┘

update-notifier is in version 5.1.0 (most recent 5.x release) ; first version that fixes the vuln is 6.0.1
latest-version is in version 5.1.0 (most recent 5.x release) ; first version that fixes the vuln is 7.0.0
package-json is in version 6.3.0 ; first version that fixes the vuln is 8.0.0
got is in version 9.6.0 but patch is in version 11.8.5

Same comment as above. Maybe we can have more luck with the other dependencies.

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ Command injection in git-clone                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ git-clone                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @quasar/cli                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @quasar/cli > download-git-repo > git-clone                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1084214                     │
└───────────────┴──────────────────────────────────────────────────────────────┘

There is nothing to do. Good luck with that.

Until we tackle TFNS#144, this upgrades two vulnerable dependencies.
Copy link
Collaborator

@JJ-8 JJ-8 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It still build for me too! And graphql seems to be still working, so I think it is okay.

@JJ-8 JJ-8 merged commit 51a7ce6 into TFNS:main Aug 26, 2022
@XeR XeR deleted the 178-update-front-eslint branch August 26, 2022 17:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants