Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump version for http-server pkg to fix audit #150

Merged
merged 2 commits into from
Jan 14, 2022
Merged

Bump version for http-server pkg to fix audit #150

merged 2 commits into from
Jan 14, 2022

Conversation

leaysgur
Copy link
Contributor

@miniflare/http-server package has deps to selfsigned package and it was reported as low severity vulnerabilities.

Logs by `npm i miniflare` 
~/Codes
❯ mkdir miniflare-deps

~/Codes
❯ cd miniflare-deps

~/Codes/miniflare-deps
❯ npm init -y
Wrote to /Users/leader22/Codes/miniflare-deps/package.json:

{
  "name": "miniflare-deps",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "keywords": [],
  "author": "Yuji Sugiura",
  "license": "MIT"
}



~/Codes/miniflare-deps
❯ npm i miniflare

added 40 packages, and audited 41 packages in 2s

4 low severity vulnerabilities

To address all issues, run:
  npm audit fix

Run `npm audit` for details.

~/Codes/miniflare-deps
❯ npm audit
# npm audit report

node-forge  <1.0.0
Prototype Pollution in node-forge debug API. - https://github.com/advisories/GHSA-5rrq-pxf6-6jx5
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/node-forge
  selfsigned  1.1.1 - 1.10.14
  Depends on vulnerable versions of node-forge
  node_modules/selfsigned
    @miniflare/http-server  *
    Depends on vulnerable versions of selfsigned
    node_modules/@miniflare/http-server
      miniflare  >=2.0.0-next.1
      Depends on vulnerable versions of @miniflare/http-server
      node_modules/miniflare

4 low severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

This PR updates selfsigned to 2.0.0 (major version up), but actual implementation seems not changed.
jfromaniello/selfsigned@v1.10.11...v2.0.0

@mrbbot mrbbot merged commit fb71938 into cloudflare:master Jan 14, 2022
@mrbbot mrbbot added the v2.1.0 label Jan 14, 2022
@leaysgur leaysgur deleted the bump/selfsigned branch January 14, 2022 22:08
@mrbbot
Copy link
Contributor

mrbbot commented Jan 14, 2022

Hey! 👋 Thanks for this PR! 😃 I've just released version 2.1.0 including this. You can find the full changelog here.

@leaysgur
Copy link
Contributor Author

Thank you! 😆

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@leaysgur @mrbbot