Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: upgrade @adobe/css-tools to 4.3.1 to address vulnerability #532

Merged
merged 2 commits into from
Oct 12, 2023
Merged

fix: upgrade @adobe/css-tools to 4.3.1 to address vulnerability #532

merged 2 commits into from
Oct 12, 2023

Conversation

justinbaltazar
Copy link
Contributor

@justinbaltazar justinbaltazar commented Aug 30, 2023
edited

What:
This PR bumps the @adobe/css-tools dependency to 4.3.1

Why:
There is an existing advisory on version 4.3.0:
GHSA-hpx4-r86g-5jrg

How:
Updated package.json.

Checklist:

  • Documentation
  • Tests
  • Updated Type Definitions
  • Ready to be merged

@justinbaltazar justinbaltazar changed the title update @adobe/css-tools to 4.3.1 to address vulnerability fix: upgrade @adobe/css-tools to 4.3.1 to address vulnerability Aug 30, 2023
@justinbaltazar justinbaltazar marked this pull request as ready for review August 30, 2023 19:07
@rakleed
Copy link

rakleed commented Sep 5, 2023

@jgoz

@lritter79
Copy link

lritter79 commented Sep 26, 2023
edited

@nickmccurdy respectfully bumping since this is causing a an issue as a dependency of okta-signin-widget

@ghost
Copy link

ghost commented Oct 3, 2023

Bump?

@jgoz
Copy link
Collaborator

jgoz commented Oct 3, 2023

I don't see the point of this change. The existing dependency range will allow package consumers to update the transitive dependency version via npm audit fix or equivalent with other package managers. What am I missing?

@lritter79
Copy link

@jgoz I think it's worth adding this change to ensure that consumers of this package are secure since 4.3.0 has a vulnerability, and it would be courteous to just bump the version up and keep this package reliable.

@codecov
Copy link

codecov bot commented Oct 12, 2023

Codecov Report

Merging #532 (3d4605e) into main (5b492ac) will not change coverage.
Report is 1 commits behind head on main.
The diff coverage is n/a.

@@            Coverage Diff            @@
##              main      #532   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files           27        27           
  Lines          664       664           
  Branches       251       251           
=========================================
  Hits           664       664

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

@nickmccurdy nickmccurdy merged commit 44f1eab into testing-library:main Oct 12, 2023
7 checks passed
@github-actions
Copy link

🎉 This PR is included in version 6.1.4 🎉

The release is available on:

Your semantic-release bot 📦🚀

@nickmccurdy
Copy link
Member

Merging since it's just a patch release which shouldn't have breaking changes.

@justinbaltazar
Copy link
Contributor Author

Thanks all!

@brian-smith-tcril brian-smith-tcril mentioned this pull request Nov 27, 2023
Merged
4 tasks
@ahussein3 ahussein3 mentioned this pull request Dec 2, 2023
Closed
@lernerb
Copy link

lernerb commented Dec 5, 2023
edited

@justinbaltazar It looks like we need to push the min 4.3.2 based on the latest security patch per GH, not 4.3.1 - I can spin up a quick patch...

GHSA-prr3-c3m5-p7q2

Impact

@adobe/css-tools version 4.3.1 and earlier are affected by an Improper Input Validation vulnerability that could result in a denial of service while attempting to parse CSS.

EDIT: Patch (#555)

@csmartinez22 csmartinez22 mentioned this pull request May 23, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nickmccurdy nickmccurdy nickmccurdy approved these changes

@MiladSadeghi MiladSadeghi MiladSadeghi approved these changes

Assignees
No one assigned
Labels
released
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@justinbaltazar @rakleed @lritter79 @jgoz @nickmccurdy @lernerb @MiladSadeghi