From 93845d910c5fef6d41f9e11d023060bfc461921a Mon Sep 17 00:00:00 2001 From: Jack Schofield Date: Fri, 31 Jan 2020 13:29:18 +0000 Subject: [PATCH 1/2] fix: use @snyk/configstore instead of configstore Using a forked version of configstore to fix a a prototype pollution in its dependency dot-prop present in versions < 5.1.0 --- package.json | 2 +- src/lib/user-config.js | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/package.json b/package.json index b4f163687f..b541f117dd 100644 --- a/package.json +++ b/package.json @@ -55,6 +55,7 @@ "license": "Apache-2.0", "dependencies": { "@snyk/cli-interface": "2.3.0", + "@snyk/configstore": "^3.2.0-rc1", "@snyk/dep-graph": "1.13.1", "@snyk/gemfile": "1.2.0", "@snyk/snyk-cocoapods-plugin": "2.0.1", @@ -64,7 +65,6 @@ "ansi-escapes": "3.2.0", "chalk": "^2.4.2", "cli-spinner": "0.2.10", - "configstore": "^3.1.2", "debug": "^3.1.0", "diff": "^4.0.1", "git-url-parse": "11.1.2", diff --git a/src/lib/user-config.js b/src/lib/user-config.js index b09d07e0f1..cfb852a08f 100644 --- a/src/lib/user-config.js +++ b/src/lib/user-config.js @@ -1,4 +1,4 @@ -const Configstore = require('configstore'); +const Configstore = require('@snyk/configstore'); const pkg = require(__dirname + '/../../package.json'); const config = new Configstore(pkg.name); From b74bbe2f110caef667da398231aaa90653ce2e14 Mon Sep 17 00:00:00 2001 From: Jack Schofield Date: Fri, 31 Jan 2020 15:01:48 +0000 Subject: [PATCH 2/2] fix: use @snyk/update-notifier instead of update-notifier Using a forked version of update-notifier to fix a prototype pollution in its dependency dot-prop present in versions < 5.1.0 --- package.json | 2 +- src/lib/updater.ts | 2 +- test/updater.test.js | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/package.json b/package.json index b541f117dd..75d37d8c6e 100644 --- a/package.json +++ b/package.json @@ -59,6 +59,7 @@ "@snyk/dep-graph": "1.13.1", "@snyk/gemfile": "1.2.0", "@snyk/snyk-cocoapods-plugin": "2.0.1", + "@snyk/update-notifier": "^2.5.1-rc1", "@types/agent-base": "^4.2.0", "@types/restify": "^4.3.6", "abbrev": "^1.1.1", @@ -97,7 +98,6 @@ "strip-ansi": "^5.2.0", "tempfile": "^2.0.0", "then-fs": "^2.0.0", - "update-notifier": "^2.5.0", "uuid": "^3.3.2", "wrap-ansi": "^5.1.0" }, diff --git a/src/lib/updater.ts b/src/lib/updater.ts index fd1ca86365..bbd431e369 100644 --- a/src/lib/updater.ts +++ b/src/lib/updater.ts @@ -1,4 +1,4 @@ -import * as updateNotifier from 'update-notifier'; +import * as updateNotifier from '@snyk/update-notifier'; import * as fs from 'fs'; import * as p from 'path'; diff --git a/test/updater.test.js b/test/updater.test.js index 2f8dc3fde2..82cdd3094b 100644 --- a/test/updater.test.js +++ b/test/updater.test.js @@ -4,7 +4,7 @@ const updateCheck = require('../src/lib/updater').updateCheck; const fs = require('fs'); const p = require('path'); const sinon = require('sinon').createSandbox(); -const updateNotifier = require('update-notifier'); +const updateNotifier = require('@snyk/update-notifier'); // Fake location of the package.json file and verify the code behaves well test('missing package.json', (t) => {