Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump versions on azure-devops-node-api to 10.2.2 to address CVE-2021-23358 #380

Closed
akanieski opened this issue May 20, 2021 · 3 comments
Closed

Bump versions on azure-devops-node-api to 10.2.2 to address CVE-2021-23358 #380

akanieski opened this issue May 20, 2021 · 3 comments
Assignees
@max-zaytsev
Labels
Area: tfx-cli bug

Comments

@akanieski
Copy link 

  High            Arbitrary Code Execution                                      

  Package         underscore                                                    

  Patched in      >=1.12.1                                                      

  Dependency of   tfx-cli [dev]                                                 

  Path            tfx-cli > azure-devops-node-api > typed-rest-client >         
                  underscore                                                    

  More info       https://npmjs.com/advisories/1674                             

  High            Arbitrary Code Execution                                      

  Package         underscore                                                    

  Patched in      >=1.12.1                                                      

  Dependency of   tfx-cli [dev]                                                 


  More info       https://npmjs.com/advisories/1674                             

found 2 high severity vulnerabilities in 230 scanned packages
  2 vulnerabilities require manual review. See the full report for details.

According to microsoft/azure-devops-node-api#440 underscore was bumped up on 10.2.2.
@akanieski akanieski mentioned this issue May 20, 2021
Open
@akanieski akanieski changed the title Bump versions on azure-devops-node-api to 10.2.2 to address Bump versions on azure-devops-node-api to 10.2.2 to address CVE-2021-23358 May 20, 2021
@HumiDess HumiDess mentioned this issue May 25, 2021
Open
@MOlausson
Copy link

What's the ETA to get this fixed? Also duplicate in #392.

@anatolybolshakov
Copy link
Contributor

Hi everyone, let us take a look at it this week.

@max-zaytsev max-zaytsev self-assigned this Dec 6, 2021
@max-zaytsev max-zaytsev mentioned this issue Dec 10, 2021
Merged
7 tasks
@max-zaytsev
Copy link

The updated package was published (0.10.0)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@max-zaytsev max-zaytsev

Labels
Area: tfx-cli bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@akanieski @MOlausson @anatolybolshakov @max-zaytsev @DenisRumyantsev