Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependency upgrades for mitigating a vulnerability #128

Merged
merged 1 commit into from
Feb 19, 2023
Merged

Dependency upgrades for mitigating a vulnerability #128

merged 1 commit into from
Feb 19, 2023

Conversation

KoenDG
Copy link
Contributor

@KoenDG KoenDG commented Feb 18, 2023

The codecov package had a vulnerability.

The istanbul package is no longer maintained. The project recommends switching to the nyc package, which was done.

The vulnerabilty, as per npm audit:

Severity: high
Command injection in codecov (npm package) - https://github.com/advisories/GHSA-xp63-6vf5-xf3v
codecov NPM module allows remote attackers to execute arbitrary commands - https://github.com/advisories/GHSA-5q88-cjfq-g2mh
Improper Neutralization of Special Elements in Output Used by a Downstream Component in Codecov - https://github.com/advisories/GHSA-mh2h-6j8q-x246
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/codecov

Tests ran, all passed locally.

@KoenDG
The codecov package had a vulnerability.
1ae1d57 
The istanbul package is no longer maintained. The project recommends switching to the nyc package, which was done.
@mathiasbynens mathiasbynens merged commit d8bbc1f into mathiasbynens:main Feb 19, 2023
@mathiasbynens
Copy link
Owner

Thanks!

@KoenDG KoenDG deleted the dependency_upgrades branch February 19, 2023 20:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mathiasbynens mathiasbynens mathiasbynens approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@KoenDG @mathiasbynens