Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update vulnerable version of word-wrap #416

Merged
merged 2 commits into from
Jun 28, 2023
Merged

Update vulnerable version of word-wrap #416

merged 2 commits into from
Jun 28, 2023

Conversation

diehuxx
Copy link

@diehuxx diehuxx commented Jun 28, 2023

npm audit is flagging an issue with word-wrap.

word-wrap  *
Severity: moderate
word-wrap vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-j8xg-fqg3-53r7
No fix available
node_modules/word-wrap
  optionator  >=0.8.3
  Depends on vulnerable versions of word-wrap
  node_modules/optionator
    eslint  2.5.0 - 2.5.2 || >=6.7.0
    Depends on vulnerable versions of optionator
    node_modules/eslint
      eslint-plugin-todo-plz  *
      Depends on vulnerable versions of eslint
      node_modules/eslint-plugin-todo-plz

Vuln here: https://security.snyk.io/vuln/SNYK-JS-WORDWRAP-3149973

Community fix here: jonschlinkert/word-wrap#33 (comment)

mistermoe
mistermoe previously approved these changes Jun 28, 2023
View reviewed changes
Copy link
Member

@mistermoe mistermoe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

BEST

thehenrytsai
thehenrytsai previously approved these changes Jun 28, 2023
View reviewed changes
@thehenrytsai
Copy link
Member

thehenrytsai commented Jun 28, 2023
edited
Loading

Hey @diehuxx, just sanity: I ran npm audit fix which seems to have fixed it by modifying the lock file directly. If that's the case I'd just do that and avoid adding overrides.

@diehuxx
Copy link
Author

diehuxx commented Jun 28, 2023

@thehenrytsai Glad you tried it this morning! optionator updated the dependency on their side right after I opened this PR, so no override necessary for us anymore. gkz/optionator#46

@diehuxx diehuxx dismissed stale reviews from thehenrytsai and mistermoe via d5d812a June 28, 2023 19:46
@diehuxx diehuxx changed the title Override vulnerable version of word-wrap Update vulnerable version of word-wrap Jun 28, 2023
@diehuxx diehuxx merged commit c58de77 into main Jun 28, 2023
@thehenrytsai thehenrytsai deleted the fix-word-wrap branch June 28, 2023 21:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thehenrytsai thehenrytsai thehenrytsai approved these changes

@mistermoe mistermoe mistermoe left review comments

@csuwildcat csuwildcat Awaiting requested review from csuwildcat csuwildcat is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@diehuxx @thehenrytsai @mistermoe