Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix vulnerabilities #15896

Merged
merged 19 commits into from
Feb 15, 2022
Merged

Fix vulnerabilities #15896

merged 19 commits into from
Feb 15, 2022

Conversation

DaniilShmelev
Copy link
Contributor

@DaniilShmelev DaniilShmelev commented Feb 9, 2022

Task name: root of the repo, ANTV1, AndroidSigningV2, AndroidSigningV3, ArchiveFilesV2, BashV3, CMakeV1, CUrlUploaderV2, CmdLineV2, CocoaPodsV0, DecryptFileV1, CopyFilesOverSSHV0

Description:
Root:

  • Removed unused mocha-junit-reporter.
  • Removed mocha-junit-reporter traces from make.js.
  • Removed unused markdown-toc.
  • Updated mocha to 5.x to resolve most vulnerabilities. There's still one remaining for this package - mocha > mkdirp > minimist. All dependencies are fixed only in mocha 9.x, but we can't update to this version until we fully migrate to node 10.
  • Bumped other vulnerable packages. Some of them had breaking changes, so changes have been made to make.js and make-util.js to bring dependency usage up to date.

ANTV1, AndroidSigningV2, AndroidSigningV3, ArchiveFilesV2, BashV3, CMakeV1, CUrlUploaderV2, CmdLineV2, CocoaPodsV0, DecryptFileV1

  • Bumped path-parse.
  • For some of those tasks package-lock structure has changed, but no dependencies other than path-parse changed.

CopyFilesOverSSHV0

  • Bumped vulnerable ssh2 package version. This is a major version bump, so rigorous testing is needed.
  • Had to bump ssh2-sftp-client too because of ssh2 update.

Documentation changes required: No

Added unit tests: No

Checklist:

  • Task version was bumped - please check instruction how to do it
  • Checked that applied changes work as expected

@DaniilShmelev DaniilShmelev self-assigned this Feb 9, 2022
@DaniilShmelev DaniilShmelev marked this pull request as ready for review February 11, 2022 07:38
@DaniilShmelev DaniilShmelev requested a review from a team as a code owner February 11, 2022 07:38
@DaniilShmelev
Copy link
Contributor Author

Copy link
Contributor

@mr-dokara mr-dokara left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@DaniilShmelev DaniilShmelev merged commit f010d67 into master Feb 15, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants