Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix high and critical vulnerabilities #630

Merged
merged 1 commit into from
Aug 22, 2023
Merged

Fix high and critical vulnerabilities #630

merged 1 commit into from
Aug 22, 2023

Conversation

mojosoeun
Copy link
Member

@mojosoeun mojosoeun commented Aug 22, 2023
edited

What this PR does / why we need it?

Fix high and critical vulnerabilities

Any background context you want to provide?

# npm audit report

json5  <1.0.2
Severity: high
Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h
fix available via `npm audit fix --force`
Will install istanbul-instrumenter-loader@3.0.1, which is a breaking change
node_modules/json5
  loader-utils  <=1.4.0
  Depends on vulnerable versions of json5
  node_modules/loader-utils
    istanbul-instrumenter-loader  0.2.0 - 2.0.0
    Depends on vulnerable versions of loader-utils
    node_modules/istanbul-instrumenter-loader

loader-utils  <=1.4.0
Severity: critical
Prototype pollution in webpack loader-utils - https://github.com/advisories/GHSA-76p3-8jx3-jpfq
Depends on vulnerable versions of json5
fix available via `npm audit fix --force`
Will install istanbul-instrumenter-loader@3.0.1, which is a breaking change
node_modules/loader-utils
  istanbul-instrumenter-loader  0.2.0 - 2.0.0
  Depends on vulnerable versions of loader-utils
  node_modules/istanbul-instrumenter-loader

These vulnerabilities came from istanbul-instrumenter-loader(this library turn into archeived repository). So I updated the new version. However, it is broken when installing packages(npm install) because we use webpack 5 but this library still requires webpack 4.

I saw some open source replace other alternative Istanbul loader(JS-DevTools/coverage-istanbul-loader#8). So I replace from istanbul-instrumenter-loader to coverage-istanbul-loader(DataDog/browser-sdk#1023)

Reference: JS-DevTools/coverage-istanbul-loader#8
webpack-contrib/istanbul-instrumenter-loader#110
https://www.npmjs.com/package/coverage-istanbul-loader

What are the relevant tickets?

Fixes #628

Checklist

  • Added relevant tests or not required
  • Didn't break anything

@codecov
Copy link

codecov bot commented Aug 22, 2023
edited

Codecov Report

Merging #630 (6a61ed1) into main (808d1f7) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##             main     #630   +/-   ##
=======================================
  Coverage   88.40%   88.40%           
=======================================
  Files          80       80           
  Lines        8882     8882           
  Branches      821      821           
=======================================
  Hits         7852     7852           
  Misses        720      720           
  Partials      310      310

@mojosoeun mojosoeun force-pushed the soeunlee/fix/vulnerabilities branch 3 times, most recently from ac26563 to bcbd34b Compare August 22, 2023 17:33
@mojosoeun mojosoeun marked this pull request as ready for review August 22, 2023 18:28
hackerwins
hackerwins approved these changes Aug 22, 2023
View reviewed changes
Copy link
Member

@hackerwins hackerwins left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your contribution and detailed description. 👍

@hackerwins hackerwins merged commit 2c151a1 into yorkie-team:main Aug 22, 2023
2 checks passed
@JOOHOJANG JOOHOJANG mentioned this pull request Sep 25, 2023
Closed
@hackerwins hackerwins mentioned this pull request Sep 27, 2023
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hackerwins hackerwins hackerwins approved these changes

@chacha912 chacha912 Awaiting requested review from chacha912

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Fix high and critical vulnerabilities
2 participants
@mojosoeun @hackerwins