Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deploying an update to address security vulnerability #3877

Closed
MgenGlder opened this issue Dec 1, 2022 · 9 comments 路 Fixed by #3911
Closed

Deploying an update to address security vulnerability #3877

MgenGlder opened this issue Dec 1, 2022 · 9 comments 路 Fixed by #3911
Labels
Status: Triage Needs to be verified, categorized, etc Type: Bug / Error Something isn't working or is incorrect

Comments

@MgenGlder
Copy link

Description

Hello 馃憢馃従

Is it possible to release a patch that includes only the security vulnerability updates? In particular, was interested in the recent dagre-d3 updates by @aloisklink that gets rid of a critical vulnerability. This would help out those of us that use these in public enterprise-grade applications where security is a big concern.

Thanks!

Steps to reproduce

  1. Install mermaid-js
  2. Run npm audit

Screenshots

No response

Code Sample

No response

Setup

No response

Additional Context

No response
@MgenGlder MgenGlder added Status: Triage Needs to be verified, categorized, etc Type: Bug / Error Something isn't working or is incorrect labels Dec 1, 2022
@huineng
Copy link

huineng commented Dec 13, 2022

#3666 (comment)

@benjmac
Copy link

benjmac commented Dec 14, 2022

Hello, I'm checking to see if there is an update on when this fix will be released? Thanks!

@MgenGlder
Copy link
Author

@weedySeaDragon Hey! 馃憢馃従 Is there any possibility this could get looked at? I would also love to take this on myself but I would need permissions to release to npm.

@weedySeaDragon
Copy link
Contributor

@MgenGlder I'm just a contributor & don't have any input or control about releases.
But @knsv certainly does :-) (and maybe @aloisklink and @sidharthv96 can help)

@aloisklink
Copy link
Member

aloisklink commented Dec 14, 2022
edited

But @knsv certainly does :-) (and maybe @aloisklink and @sidharthv96 can help)

I also can't control releases, unfortunately.

@sidharthv96 did mention a couple days ago that a new release should be coming soon, but maybe there was some bugs encountered during testing. See https://mermaid-talk.slack.com/archives/CL1LQC1QU/p1669962476721549?thread_ts=1669930601.500959&cid=CL1LQC1QU

If bugs are blocking a new release, though, somebody with release permissions could just cherry-pick commit fd76e0e onto the v9.2.2 tag to make a v9.2.3 release. In that case, the v9.2.3 would be missing a bunch of other features/bug-fixes, but at least it would have this security issue fixed.

Edit: You could try using the 9.3.0-rc.6 pre-release on NPM, but as it's a release candidate, there's a good chance that there are still some bugs there that haven't been squashed.

@sidharthv96
Copy link
Member

Yes, a bug with dagre-d3-es was holding up the release.
mermaid-js/mermaid-live-editor#1119

@sidharthv96
Copy link
Member

That issue has been resolved. New release coming in few hours after a final round of testing (if we don't find some other bugs).

Meanwhile, can you try if 9.3.0-rc.7 resolves your problem and also works as expected?

@sidharthv96 sidharthv96 mentioned this issue Dec 15, 2022
Merged
3 tasks
@rinchik
Copy link

rinchik commented Dec 15, 2022

This is awesome! Thank you everyone (and @MgenGlder for driving!)

@MgenGlder
Copy link
Author

Agreed, definitely a community effort here! And many thanks to @sidharthv96 for taking this home.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Status: Triage Needs to be verified, categorized, etc Type: Bug / Error Something isn't working or is incorrect
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Release/9.3.0 mermaid-js/mermaid
7 participants
@weedySeaDragon @rinchik @huineng @MgenGlder @sidharthv96 @aloisklink @benjmac