Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Audit for security issues #321

Closed
3 tasks done
brettz9 opened this issue May 12, 2018 · 1 comment
Closed
3 tasks done

Audit for security issues #321

brettz9 opened this issue May 12, 2018 · 1 comment
Labels
Security

Comments

@brettz9
Copy link
Collaborator

brettz9 commented May 12, 2018
edited

The latest npm versions provide npm audit to flag security issues with dependencies and devDependencies.

This bug is for tracking problematic dependencies (listing the highest level ancestor responsible); bold items will likely need action:

  • websql -> node-sqlite3 -> node-pre-gyp
    - -> rc -> deep-extend
    - -> hawk
    - -> sntp -> hoek
    - -> hoek
    - -> cryptiles -> boom -> hoek
    - -> boom -> hoek
    - -> request
    - -> http-signature -> sshpk
    - -> hawk
    - -> sntp -> hoek
    - -> hoek
    - -> cryptiles -> boom -> hoek
    - -> boom -> hoek
  • Updated in master (reflected in update to package.json and package-lock.json)
    • grunt-contrib-watch (tiny-lr > body-parser > debug and tiny-lr > debug)
    • grunt-browserify > watchify (need >= 2.1.1) > chokidar (need >= 0.10.4) > fsevents (need >= 0.3.6) > node-pre-gyp (need >= 0.6.34) > rc (need >= 1.2.7) > deep-extend (need >= 0.5.1)
    • grunt-node-qunit (try update to upstream?) -> yomexzo/node-qunit -> qunit -> istanbul
      • -> fileset (-> minimatch && -> glob > minimatch)
      • -> handlebars && handlebars > uglify-js
    • grunt-saucelabs
    • grunt -> (grunt-legacy-util and grunt-legacy-log -> grunt-legacy-log-utils)
brettz9 added a commit to brettz9/IndexedDBShim that referenced this issue May 12, 2018
@brettz9
- Linting: Disable control regex error
c0ed294 
- npm: Update devDeps
- npm: Update `package-lock.json` including update to dependency
    `deep-extend` with npm audit security warning (partial fix for indexeddbshim#321)
brettz9 added a commit to brettz9/IndexedDBShim that referenced this issue May 13, 2018
@brettz9
- npm: Update devDeps (including for improving indexeddbshim#321 on s…
e8cae20 
…ecurity audit)
brettz9 added a commit to brettz9/IndexedDBShim that referenced this issue May 14, 2018
@brettz9
- npm: Update grunt-node-qunit toward improving security, part of ind…
733745c 
…exeddbshim#321
brettz9 added a commit to brettz9/IndexedDBShim that referenced this issue May 14, 2018
@brettz9
- npm: Update node-websql (and package-lock.json sqlite3->rc ve…
466836f 
…rsion) for

    version 4.0.0 which improves security (part of indexeddbshim#321)
- Testing: Update web-platform-tests
brettz9 added a commit to brettz9/IndexedDBShim that referenced this issue May 14, 2018
@brettz9
- npm: Update node-websql (and package-lock.json sqlite3->rc ve…
8cd32b6 
…rsion) for

    version 4.0.0 which improves security (part of indexeddbshim#321)
- npm: Update grunt-node-unit (avoid peerDep warnings)
- Testing: Update web-platform-tests
brettz9 added a commit to brettz9/IndexedDBShim that referenced this issue May 28, 2018
@brettz9
- Docs: Update CHANGES (for release)
af82f8f 
- Refactoring: Remove unnecessary `type=text/css`
- Testing (Grunt): Fix clean-polyfill task (fixes indexeddbshim#322)
- Testing (Grunt): Replace phantom-qunit with puppeteer-qunit
- Testing (QUnit): Fix issue with QUnit 2 (move sample data into test
    starting file); see https://stackoverflow.com/a/38791824/271577
    (fixes indexeddbshim#324)
- npm: Switch unicode-10.0.0 to devDep (with copy routine);
    Fixes indexeddbshim#323
- npm: Update `package-lock.json` (added nested dependencies directly to our
    `package.json` and applied that version info in `package-lock.json` to other
    instances still relying on older versions) (Temporary fix for indexeddbshim#321 until Grunt
    and node-pre-gyp->sqlite3(->websql) update)
- npm: Bump version to 3.7.0
@brettz9
Copy link
Collaborator Author

brettz9 commented May 28, 2018

We are now passing tests, but keeping the issue open as we shouldn't need to do this by editing package-lock.json. (yarn.lock has also not yet been updated.)

brettz9 added a commit to brettz9/IndexedDBShim that referenced this issue Jun 5, 2018
@brettz9
- npm: Bump bson devDep
4843bed 
- npm: Bump Grunt, removing need for hard-coding its util deps to avoid security issues (toward indexeddbshim#321)
brettz9 added a commit to brettz9/IndexedDBShim that referenced this issue Jun 5, 2018
@brettz9
- npm: Bump bson devDep
a906b45 
- npm: Bump Grunt, removing need for hard-coding its util deps to avoid security issues (toward indexeddbshim#321)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@brettz9