Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

js-yaml needs to be updated (and should have a range version) #3876

Closed
kaiyoma opened this issue Apr 15, 2019 · 7 comments · Fixed by #3877
Closed

js-yaml needs to be updated (and should have a range version) #3876

kaiyoma opened this issue Apr 15, 2019 · 7 comments · Fixed by #3877
Labels
area: security involving vulnerabilities semver-patch implementation requires increase of "patch" version number; "bug fixes"

Comments

@kaiyoma
Copy link

kaiyoma commented Apr 15, 2019

Description

js-yaml has a new security vulnerability: https://www.npmjs.com/advisories/813

For some reason, a specific version (3.13.0) is being specified in package.json. Why isn't this a range?

Steps to Reproduce

Install the latest version of mocha, then run yarn audit.

Expected behavior:
No vulnerabilities found.

Actual behavior:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ Code Injection                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ js-yaml                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.13.1                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ mocha                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ mocha > js-yaml                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/813                         │
└───────────────┴──────────────────────────────────────────────────────────────┘

Versions

mocha 6.1.3
@bjornstar bjornstar mentioned this issue Apr 16, 2019
Merged
@soatok
Copy link

soatok commented Apr 16, 2019

This is giving me a sev:high security alert when I run npm audit :(

@meszaros-lajos-gyorgy
Copy link

Someone is being really active at npm, going through js-yaml with a fine tooth comb. The last issue was reported in less than a month: https://www.npmjs.com/advisories/788

This was referenced Apr 16, 2019
Merged
Closed
@fsinisi90
Copy link

fsinisi90 commented Apr 16, 2019
edited
Loading

Same warning here, npm audit --force fix wasn't fixing it.

I had to update the package.json of mocha manually with:

"js-yaml": "3.13.1"

@anastasia-b
Copy link

Do you have any idea on when the PR will get merged? Our team is very eager for this security fix :)

@HaaLeo HaaLeo mentioned this issue Apr 16, 2019
Merged
TheGoddessInari added a commit to TheGoddessInari/hamsket that referenced this issue Apr 16, 2019
@TheGoddessInari
Update electron-builder and mocha because of https://www.npmjs.com/ad…
01dceeb 
…visories/813.

Still doesn't fully fix it for mocha, but that's tracked at mochajs/mocha#3876.
@AlexZeitler AlexZeitler mentioned this issue Apr 17, 2019
Open
@plroebuck plroebuck added area: security involving vulnerabilities semver-patch implementation requires increase of "patch" version number; "bug fixes" and removed unconfirmed-bug labels Apr 17, 2019
@yelworc
Copy link

yelworc commented Apr 18, 2019

Out of curiosity, what is the rationale behind pinning exact dependency versions in package.json (@plroebuck)? Why not at least use the tilde operator, so npm audit can fix issues like this one without having to wait for the next mocha release? Did a quick search in this repo and the maintainers doc but couldn't find any explanation.

@boneskull boneskull mentioned this issue Apr 18, 2019
Closed
4 tasks
@boneskull
Copy link
Contributor

released as v6.1.4

@tehshane
Copy link

Thanks! 🙌

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area: security involving vulnerabilities semver-patch implementation requires increase of "patch" version number; "bug fixes"
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update js-yaml from 3.13.0 to 3.13.1 bjornstar/mocha
9 participants
@yelworc @boneskull @anastasia-b @meszaros-lajos-gyorgy @tehshane @soatok @kaiyoma @fsinisi90 @plroebuck