Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

js-yaml needs to be updated (and should have a range version) #3876

Closed
kaiyoma opened this issue Apr 15, 2019 · 7 comments · Fixed by #3877
Closed

js-yaml needs to be updated (and should have a range version) #3876

kaiyoma opened this issue Apr 15, 2019 · 7 comments · Fixed by #3877
Labels
area: security involving vulnerabilities semver-patch implementation requires increase of "patch" version number; "bug fixes"

Comments

@kaiyoma
Copy link

kaiyoma commented Apr 15, 2019

Description

js-yaml has a new security vulnerability: https://www.npmjs.com/advisories/813

For some reason, a specific version (3.13.0) is being specified in package.json. Why isn't this a range?

Steps to Reproduce

Install the latest version of mocha, then run yarn audit.

Expected behavior:
No vulnerabilities found.

Actual behavior:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ Code Injection                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ js-yaml                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.13.1                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ mocha                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ mocha > js-yaml                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/813                         │
└───────────────┴──────────────────────────────────────────────────────────────┘

Versions

mocha 6.1.3

@soatok
Copy link

soatok commented Apr 16, 2019

This is giving me a sev:high security alert when I run npm audit :(

@meszaros-lajos-gyorgy
Copy link

Someone is being really active at npm, going through js-yaml with a fine tooth comb. The last issue was reported in less than a month: https://www.npmjs.com/advisories/788

@fsinisi90
Copy link

fsinisi90 commented Apr 16, 2019

Same warning here, npm audit --force fix wasn't fixing it.

I had to update the package.json of mocha manually with:

"js-yaml": "3.13.1"

@anastasia-b
Copy link

Do you have any idea on when the PR will get merged? Our team is very eager for this security fix :)

TheGoddessInari added a commit to TheGoddessInari/hamsket that referenced this issue Apr 16, 2019
@plroebuck plroebuck added area: security involving vulnerabilities semver-patch implementation requires increase of "patch" version number; "bug fixes" and removed unconfirmed-bug labels Apr 17, 2019
@yelworc
Copy link

yelworc commented Apr 18, 2019

Out of curiosity, what is the rationale behind pinning exact dependency versions in package.json (@plroebuck)? Why not at least use the tilde operator, so npm audit can fix issues like this one without having to wait for the next mocha release? Did a quick search in this repo and the maintainers doc but couldn't find any explanation.

@boneskull
Copy link
Contributor

released as v6.1.4

@tehshane
Copy link

Thanks! 🙌

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area: security involving vulnerabilities semver-patch implementation requires increase of "patch" version number; "bug fixes"
Projects
None yet
Development

Successfully merging a pull request may close this issue.

9 participants