Skip to content

chore(deps): Bump shelljs from 0.8.4 to 0.8.5 #33001

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
gabrieldonadel wants to merge 1 commit into from
Closed

chore(deps): Bump shelljs from 0.8.4 to 0.8.5 #33001

gabrieldonadel wants to merge 1 commit into from

Conversation

@gabrieldonadel
Copy link
Collaborator

@gabrieldonadel gabrieldonadel commented Jan 31, 2022

Summary

Running yarn audit shows a vulnerability in the shelljs version we're currently using

image

This PR upgrades shelljs from 0.8.4 to 0.8.5 in order to mitigate this vulnerability

More info on GHSA-4rq4-32rv-6wp6

Changelog

[Internal] [Security] - Upgrade shelljs to v0.8.5 in order to fix Improper Privilege Management vulnerability

Test Plan

There are no API changes between versions 0.8.4 and 0.8.5, so just testing the scripts that use this lib should be enough.

@facebook-github-bot facebook-github-bot added CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. Shared with Meta Applied via automation to indicate that an Issue or Pull Request has been shared with the team. labels Jan 31, 2022
@analysis-bot
Copy link

analysis-bot commented Jan 31, 2022

Platform Engine Arch Size (bytes) Diff
ios - universal n/a --

Base commit: 3f49e67
Branch: main

@analysis-bot
Copy link

analysis-bot commented Jan 31, 2022

Platform Engine Arch Size (bytes) Diff
android hermes arm64-v8a 8,300,992 +0
android hermes armeabi-v7a 7,639,817 +0
android hermes x86 8,776,814 +0
android hermes x86_64 8,713,472 +0
android jsc arm64-v8a 9,785,044 +0
android jsc armeabi-v7a 8,771,205 +0
android jsc x86 9,752,035 +0
android jsc x86_64 10,347,958 +0

Base commit: 3f49e67
Branch: main

@facebook-github-bot
Copy link
Contributor

facebook-github-bot commented Jan 31, 2022

@lunaleaps has imported this pull request. If you are a Meta employee, you can view this diff on Phabricator.

@gabrieldonadel
Copy link
Collaborator Author

gabrieldonadel commented Jan 31, 2022

@lunaleaps do you mind checking if fb internal tests are failing due to this change or if it was just a fluke?

@lunaleaps
Copy link
Contributor

lunaleaps commented Feb 1, 2022

Yea we have an internal mirror of dependencies I need to update -- will be updating internally! Thanks again for your help here!

@kelset kelset mentioned this pull request Feb 1, 2022
Merged
4 tasks
@react-native-bot
Copy link
Collaborator

react-native-bot commented Feb 1, 2022

This pull request was successfully merged by @gabrieldonadel in e8f7a1b.

When will my fix make it into a release? | Upcoming Releases

@react-native-bot react-native-bot added the Merged This PR has been merged. label Feb 1, 2022
@gabrieldonadel gabrieldonadel deleted the update-shell-js branch February 1, 2022 21:42
shwanton pushed a commit to shwanton/react-native-macos that referenced this pull request Feb 13, 2023
@gabrieldonadel
chore(deps): Bump shelljs from 0.8.4 to 0.8.5 (facebook#33001)
c9c1484 
Summary:
Running `yarn audit` shows a vulnerability in the `shelljs` version we're currently using

![image](https://user-images.githubusercontent.com/11707729/151735377-eb0ed224-59b6-443c-9127-1b72dd88ee80.png)

This PR upgrades `shelljs` from 0.8.4 to 0.8.5 in order to mitigate this vulnerability

More info on GHSA-4rq4-32rv-6wp6

## Changelog

[Internal] [Security] - Upgrade shelljs to v0.8.5 in order to fix Improper Privilege Management vulnerability

Pull Request resolved: facebook#33001

Test Plan: There are no API changes between versions 0.8.4 and 0.8.5, so just testing the scripts that use this lib should be enough.

Reviewed By: cortinico

Differential Revision: D33897436

Pulled By: lunaleaps

fbshipit-source-id: f32b118ff47c6135845ac4de425feb8ebea220a8
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cortinico cortinico cortinico approved these changes

Assignees

No one assigned

Labels

CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. Merged This PR has been merged. Shared with Meta Applied via automation to indicate that an Issue or Pull Request has been shared with the team. Type: Security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@gabrieldonadel @analysis-bot @facebook-github-bot @lunaleaps @react-native-bot @cortinico