Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dependency update for jest-reporters, addressing CVE-2022-25883 #14401

Merged
merged 3 commits into from
Aug 12, 2023

Conversation

karlnorling
Copy link
Contributor

Summary

Addressing https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795 for semver coming in fromistanbul-lib-instrument@^5.1.0 and below.

See: istanbuljs/istanbuljs#731

  • istanbul-lib-instrument updated from 5.10.0 to 6.0.0
    • istanbul-lib-instrument dropping support for node 10
    • fixing semver vuln. CVE-2022-25883

Test plan

Green CI.

@linux-foundation-easycla
Copy link

linux-foundation-easycla bot commented Aug 10, 2023

CLA Signed

The committers listed above are authorized under a signed CLA.

  • ✅ login: karlnorling / name: Karl Norling (94c1216)
  • ✅ login: SimenB / name: Simen Bekkhus (93b5ce3, 720ba68)

@netlify
Copy link

netlify bot commented Aug 10, 2023

Deploy Preview for jestjs ready!

Built without sensitive environment variables

Name Link
🔨 Latest commit 720ba68
🔍 Latest deploy log https://app.netlify.com/sites/jestjs/deploys/64d67b64b191e80008c66f96
😎 Deploy Preview https://deploy-preview-14401--jestjs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@karlnorling karlnorling force-pushed the sec/semver-CVE-2022-25883 branch from 9a2831e to 6da7366 Compare August 10, 2023 13:30
@SimenB
Copy link
Member

SimenB commented Aug 10, 2023

The fixed semver is in semver range, so you don't need this update for your own projects.


That said, happy to upgrade to the new major here regardless. Could you run yarn, add a changelog entry and sign the CLA?

@karlnorling karlnorling force-pushed the sec/semver-CVE-2022-25883 branch 2 times, most recently from 7bbe8ce to ddf8a7f Compare August 10, 2023 14:37
@karlnorling
Copy link
Contributor Author

@SimenB I've added Changelog message and signed the EasyCLA (10 times now), but it doesn't seem to update.

Then there seems to be a timeout test error https://github.com/jestjs/jest/actions/runs/5822710774/job/15788003352?pr=14401#step:7:121

 - istanbul-lib-instrument updated from 5.10.0 to 6.0.0
   - istanbul-lib-instrument dropping support for node 10
   - fixing semver vuln. CVE-2022-25883
@karlnorling karlnorling force-pushed the sec/semver-CVE-2022-25883 branch from fe92f35 to 94c1216 Compare August 11, 2023 16:29
@karlnorling
Copy link
Contributor Author

@SimenB I've squashed changes. CLA is sloved.

Copy link
Member

@SimenB SimenB left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@SimenB SimenB merged commit 25a8785 into jestjs:main Aug 12, 2023
@karlnorling karlnorling deleted the sec/semver-CVE-2022-25883 branch August 14, 2023 08:39
@SimenB
Copy link
Member

SimenB commented Aug 21, 2023

https://github.com/jestjs/jest/releases/tag/v29.6.3

@github-actions
Copy link

This pull request has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
Please note this issue tracker is not a help forum. We recommend using StackOverflow or our discord channel for questions.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 21, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants