Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix for CVE-2021-23425 #3

Merged
merged 2 commits into from Sep 17, 2021
Merged

fix for CVE-2021-23425 #3

merged 2 commits into from Sep 17, 2021

Conversation

Trott
Copy link
Collaborator

@Trott Trott commented Sep 4, 2021
edited

@stevemao I know it's been over 6 years since anything happened with this repository/package, but it would be great if you could merge this and publish a new version.

cchampou
cchampou approved these changes Sep 7, 2021
View reviewed changes
Copy link

@cchampou cchampou left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested locally and works fine 💯

@aixellent
Copy link

@stevemao can you merge that please? :)

@Samarium150 Samarium150 mentioned this pull request Sep 13, 2021
Closed
@Trott
Copy link
Collaborator Author

Trott commented Sep 13, 2021
edited

For people arriving here looking for a solution in the absence of a new release: If you remove node_modules and package-lock.json and then run npm install, you might fix the Snyk/GitHub interface warning.

Explanation: For a lot of people, this is coming from conventional-commits-parser 3.2.1 or older. (This would not typically be a direct dependency. It would be a dependency of another package, such as semantic-release.) conventional-commits-parser 3.2.2 removed trim-off-newlines as a dependency, thus fixing this issue for that package. Ref: conventional-changelog/conventional-changelog#841

If you depend on trim-off-newlines from something else, then this solution may not work. But I suspect this is where most people's issues are coming from.

theoludwig added a commit to theoludwig/theoludwig that referenced this pull request Sep 13, 2021
@theoludwig
build(deps): update latest (fix vulnerability)
4124a69 
Ref:
stevemao/trim-off-newlines#3 (comment)
@stevemao stevemao merged commit fcbb73d into stevemao:master Sep 17, 2021
@Trott Trott deleted the patch-1 branch September 17, 2021 18:23
@dpilch dpilch mentioned this pull request Sep 21, 2021
Merged
@hadasbloom
Copy link

@stevemao I tried contacting you via email regarding this issue a couple of times (maybe went to your spam). I believe this is an incomplete fix for this CVE, if you could take a look at my email that would be great. Thanks!

Hadas from the Snyk Security Team

@Trott
Copy link
Collaborator Author

Trott commented Sep 23, 2021

@hadasbloom If you're comfortable sharing the information with me, my email is in my GitHub profile.

@Trott
Copy link
Collaborator Author

Trott commented Sep 23, 2021

@hadasbloom If you're comfortable sharing the information with me, my email is in my GitHub profile.

Actually, I think I found the problem that you likely identified. I'll test a bit more and if I'm Not Wrong About That, I'll get a PR in to fix it soon.

@Trott
Copy link
Collaborator Author

Trott commented Sep 23, 2021

@hadasbloom Please take a look at #4

@debricked debricked bot mentioned this pull request Feb 23, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ryansonshine ryansonshine ryansonshine approved these changes

@aixellent aixellent aixellent approved these changes

@ajkl2533 ajkl2533 ajkl2533 approved these changes

@cchampou cchampou cchampou approved these changes

@theoludwig theoludwig theoludwig approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
8 participants
@Trott @aixellent @hadasbloom @ryansonshine @ajkl2533 @cchampou @theoludwig @stevemao