Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backport fix for CVE-2022-46175 to v1 #298

Merged
merged 2 commits into from Dec 29, 2022
Merged

Backport fix for CVE-2022-46175 to v1 #298

merged 2 commits into from Dec 29, 2022

Conversation

ashkulz
Copy link

@ashkulz ashkulz commented Dec 29, 2022

According to npm, 1.0.1 has more downloads so it makes sense to backport it.

@ashkulz
Copy link
Author

ashkulz commented Dec 29, 2022

@jordanbtucker would appreciate a 1.0.2 release to npm -- I think the NodeJS 4 error can be ignored as I used git cherry-pick and didn't want to change the code otherwise 🙂

@jordanbtucker jordanbtucker changed the title backport fix for CVE-2022-46175 to v1 Backport fix for CVE-2022-46175 to v1 Dec 29, 2022
@jordanbtucker
Copy link
Member

Thanks for this. Technically v2 has slightly more downloads than v1 when you combine all v2 versions, but I agree that it would be good to backport this to v1.

@jordanbtucker
Copy link
Member

I'm going to merge this even though the Node v4 build is failing. I've also tested these changes with newer versions of Node and the tests pass.

@jordanbtucker jordanbtucker merged commit 62a6540 into json5:v1 Dec 29, 2022
@ashkulz ashkulz deleted the v1_CVE-2022-46175 branch December 29, 2022 07:14
@ashkulz
Copy link
Author

ashkulz commented Dec 29, 2022

Thanks for the quick turnaround, @jordanbtucker! Is it possible for you to tag and pushing 1.0.2 to npm? 🙂

@jordanbtucker
Copy link
Member

Need to make a few more changes. The tests are failing on my machine so I can't publish due to the npm scripts. I'll try to get it published tomorrow.

@ashkulz
Copy link
Author

ashkulz commented Dec 29, 2022

Thanks for being so responsive even in the holiday season, @jordanbtucker! Wish you a happy new year in advance 🎉

@ljharb
Copy link

ljharb commented Dec 29, 2022

Thanks in advance for publishing this backport! It really helps transitive upstream maintainers <3

@mashpie
Copy link

mashpie commented Dec 29, 2022

Thanks for backporting!

@mashpie mashpie mentioned this pull request Dec 29, 2022
Closed
@ljharb
Copy link

ljharb commented Dec 29, 2022
edited

@jordanbtucker heads up that if this is failing on node 4, publishing this will be a breaking change for eslint-plugin-import.

(However, if it's just rollup breaking in node 4, then it should work fine, and a good fix for CI would be doing the build in one stage on latest node, and the tests in all the nodes on another stage)

@jordanbtucker
Copy link
Member

@ljharb Thanks for the info. There should be no breaking changes in the production code, although some of the dev dependencies aren't very happy right now. I'm going to test with Node v4 before publishing to make sure!

@tapasmitamishra25
Copy link

tapasmitamishra25 commented Dec 30, 2022
edited

May i know if it is published or not? any ETA. @jordanbtucker @ashkulz

@jordanbtucker
Copy link
Member

v1.0.2 has been published 🚀

bickelj added a commit to PhilanthropyDataCommons/service that referenced this pull request Dec 30, 2022
@bickelj
Updates from npm update
aaccf51 
This update attempt was spurred by an alleged json5 vulnerability.
It is a dev dependency and therefore should not be included in
production code and therefore should not affect deployed instances of
the software.

This commit includes an update to json5 v1 which should be compatible
with eslint plugin and removes the vulnerability.

See import-js/eslint-plugin-import#2447 (comment)
See json5/json5#298

Issue #190 `npm ci` reports vulnerabilities...
@bickelj bickelj mentioned this pull request Dec 30, 2022
Merged
@karlhorky karlhorky mentioned this pull request Dec 30, 2022
Closed
@karlhorky
Copy link

I suggested a change to the GitHub Advisory:

@BGehrels BGehrels mentioned this pull request Jan 2, 2023
Closed
@basil basil mentioned this pull request Jan 3, 2023
Merged
@idanrozin idanrozin mentioned this pull request Jan 4, 2023
Closed
@TheKingTermux TheKingTermux mentioned this pull request Jan 5, 2023
Closed
4 tasks
@debricked debricked bot mentioned this pull request Jan 10, 2023
Merged
@tstahn tstahn mentioned this pull request Jan 10, 2023
Closed
@sync-by-unito sync-by-unito bot mentioned this pull request Feb 17, 2023
Open
@github-actions github-actions bot mentioned this pull request Apr 14, 2023
Merged
@debricked debricked bot mentioned this pull request Jul 3, 2023
Open
@debricked debricked bot mentioned this pull request Sep 13, 2023
Open
@sync-by-unito sync-by-unito bot mentioned this pull request Jan 31, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@ashkulz @jordanbtucker @ljharb @mashpie @tapasmitamishra25 @karlhorky