Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade to npm 8.5.3 in 16.x to alleviate PRISMA-2022-0039 #42510

Closed
reece-oliver opened this issue Mar 29, 2022 · 1 comment
Closed

Upgrade to npm 8.5.3 in 16.x to alleviate PRISMA-2022-0039 #42510

reece-oliver opened this issue Mar 29, 2022 · 1 comment
Labels
npm Issues and PRs related to the npm client dependency or the npm registry.

Comments

@reece-oliver
Copy link

Version

16.14.2

Platform

All

Subsystem

minimatch

What steps will reproduce the bug?

npm is on 8.5.0 and needs updating to latest npm 8.5.3 to remove the CVE in minimatch (PRISMA-2022-0039)

How often does it reproduce? Is there a required condition?

No response

What is the expected behavior?

No response

What do you see instead?

Need npm 8.5.3 in node 16.x

Additional information

No response
@targos targos added npm Issues and PRs related to the npm client dependency or the npm registry. v16.x labels Mar 29, 2022
@targos
Copy link
Member

targos commented Mar 29, 2022

I added the relevant label on #42205 and #42382 to make sure npm will be updated in the next v16.x release.
I'm closing the issue now because there is nothing else to do but waiting for the release to happen.

@targos targos closed this as completed Mar 29, 2022
@TheKingTermux TheKingTermux mentioned this issue Oct 24, 2022
Closed
4 tasks
@sjgupta19 sjgupta19 mentioned this issue Oct 26, 2022
Closed
2 tasks
@ZainRizvi ZainRizvi mentioned this issue Nov 16, 2022
Merged
ZainRizvi added a commit to pytorch/test-infra that referenced this issue Nov 16, 2022
@ZainRizvi
Upgrade to secure version of minimatch & upgrade deprecated lambda no…
f7e9783 
…dejs12 runtime (#1090)

This PR contains two changes:
1. Fixes a security vuln with the minimatch package (identified by
github). More details below
2. Upgrades the aws nodejs runtime past the now End-of-support nodejs12
runtime, which the tflint complained about after fixing the above
security vuln

# Package Dependency
- Repository:
[pytorch/test-infra](https://github.com/pytorch/test-infra)
- Manifest file:
[terraform-aws-github-runner/modules/webhook/lambdas/webhook/yarn.lock](https://github.com/pytorch/test-infra/blob/main/terraform-aws-github-runner/modules/webhook/lambdas/webhook/yarn.lock)
- Package name: [minimatch](https://npmjs.com/package/minimatch)
- Affected versions: < 3.0.5
- Fixed in version: 3.0.5
- Severity: HIGH

# References
https://nvd.nist.gov/vuln/detail/CVE-2022-3517
grafana/grafana-image-renderer#329

isaacs/minimatch@a8763f4
nodejs/node#42510
GHSA-f8q6-p94x-37v3
kit1980 pushed a commit to pytorch/test-infra that referenced this issue Nov 23, 2022
@ZainRizvi @kit1980
Upgrade to secure version of minimatch & upgrade deprecated lambda no…
c1f5b3e 
…dejs12 runtime (#1090)

This PR contains two changes:
1. Fixes a security vuln with the minimatch package (identified by
github). More details below
2. Upgrades the aws nodejs runtime past the now End-of-support nodejs12
runtime, which the tflint complained about after fixing the above
security vuln

# Package Dependency
- Repository:
[pytorch/test-infra](https://github.com/pytorch/test-infra)
- Manifest file:
[terraform-aws-github-runner/modules/webhook/lambdas/webhook/yarn.lock](https://github.com/pytorch/test-infra/blob/main/terraform-aws-github-runner/modules/webhook/lambdas/webhook/yarn.lock)
- Package name: [minimatch](https://npmjs.com/package/minimatch)
- Affected versions: < 3.0.5
- Fixed in version: 3.0.5
- Severity: HIGH

# References
https://nvd.nist.gov/vuln/detail/CVE-2022-3517
grafana/grafana-image-renderer#329

isaacs/minimatch@a8763f4
nodejs/node#42510
GHSA-f8q6-p94x-37v3
@debricked debricked bot mentioned this issue Mar 10, 2023
Open
@debricked debricked bot mentioned this issue Jul 3, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
npm Issues and PRs related to the npm client dependency or the npm registry.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@targos @reece-oliver