Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update sockjs dependency to fix auditjs security vulnerability warning #1178

Merged
merged 3 commits into from Dec 22, 2017
Merged

Update sockjs dependency to fix auditjs security vulnerability warning #1178

merged 3 commits into from Dec 22, 2017

Conversation

fwielstra
Copy link
Contributor

What kind of change does this PR introduce?

Updates sockjs to 0.3.19

Did you add or update the examples/?

nay

Summary

#1177

Does this PR introduce a breaking change?
It shouldn't

Other information

@jsf-clabot
Copy link

jsf-clabot commented Nov 6, 2017
edited

CLA assistant check
All committers have signed the CLA.

@codecov
Copy link

codecov bot commented Nov 6, 2017
edited

Codecov Report

Merging #1178 into master will not change coverage.
The diff coverage is n/a.

Impacted file tree graph

@@           Coverage Diff           @@
##           master    #1178   +/-   ##
=======================================
  Coverage   76.31%   76.31%           
=======================================
  Files           5        5           
  Lines         477      477           
  Branches      154      154           
=======================================
  Hits          364      364           
  Misses        113      113

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 7e89442...3f923ad. Read the comment docs.

@shellscape
Copy link
Contributor

@fwielstra thanks for the PR. we'll still have to go through the /examples using this sha to make sure that it doesn't break anything, even though it shouldn't. sockjs in this project is a rather fragile pain point, so we have to be extra certain. please understand that may take a while, as our efforts are focused on v3 (which removes SockJS as a dependency) at the moment. it's also worth noting that this vulnerability shouldn't be an issue for webpack-dev-server, as it should never be run in anything but a dev/test environment, and certainly not exposed to the public.

@fwielstra
Copy link
Contributor Author

That's okay, if socksjs is removed completely that will also resolve the issue. We also only use this project in development, and are ignoring the security warning - we'd prefer to just ignore it, but I've not been able to find the vunlerability ID to put in the auditjs whitelist (see this issue).

So yeah, no worries, take your time or just close this issue when 3.0 is out, I'm sure we'll be able to upgrade soon after. Thanks!

@shellscape shellscape merged commit ef18fc8 into webpack:master Dec 22, 2017
This was referenced Mar 19, 2018
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
type: refactor
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@fwielstra @jsf-clabot @shellscape