From b74bbe2f110caef667da398231aaa90653ce2e14 Mon Sep 17 00:00:00 2001 From: Jack Schofield Date: Fri, 31 Jan 2020 15:01:48 +0000 Subject: [PATCH] fix: use @snyk/update-notifier instead of update-notifier Using a forked version of update-notifier to fix a prototype pollution in its dependency dot-prop present in versions < 5.1.0 --- package.json | 2 +- src/lib/updater.ts | 2 +- test/updater.test.js | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/package.json b/package.json index b541f117dd..75d37d8c6e 100644 --- a/package.json +++ b/package.json @@ -59,6 +59,7 @@ "@snyk/dep-graph": "1.13.1", "@snyk/gemfile": "1.2.0", "@snyk/snyk-cocoapods-plugin": "2.0.1", + "@snyk/update-notifier": "^2.5.1-rc1", "@types/agent-base": "^4.2.0", "@types/restify": "^4.3.6", "abbrev": "^1.1.1", @@ -97,7 +98,6 @@ "strip-ansi": "^5.2.0", "tempfile": "^2.0.0", "then-fs": "^2.0.0", - "update-notifier": "^2.5.0", "uuid": "^3.3.2", "wrap-ansi": "^5.1.0" }, diff --git a/src/lib/updater.ts b/src/lib/updater.ts index fd1ca86365..bbd431e369 100644 --- a/src/lib/updater.ts +++ b/src/lib/updater.ts @@ -1,4 +1,4 @@ -import * as updateNotifier from 'update-notifier'; +import * as updateNotifier from '@snyk/update-notifier'; import * as fs from 'fs'; import * as p from 'path'; diff --git a/test/updater.test.js b/test/updater.test.js index 2f8dc3fde2..82cdd3094b 100644 --- a/test/updater.test.js +++ b/test/updater.test.js @@ -4,7 +4,7 @@ const updateCheck = require('../src/lib/updater').updateCheck; const fs = require('fs'); const p = require('path'); const sinon = require('sinon').createSandbox(); -const updateNotifier = require('update-notifier'); +const updateNotifier = require('@snyk/update-notifier'); // Fake location of the package.json file and verify the code behaves well test('missing package.json', (t) => {