Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: ⬆️ CVE-2022-0235 #459

Merged
merged 4 commits into from
Jan 26, 2022
Merged

fix: ⬆️ CVE-2022-0235 #459

merged 4 commits into from
Jan 26, 2022

Conversation

chientrm
Copy link
Contributor

update node-fetch to 2.6.7 to fix CVE-2022-0235

@kaylareopelle kaylareopelle mentioned this pull request Jan 22, 2022
Closed
@chientrm chientrm closed this Jan 22, 2022
@chientrm chientrm reopened this Jan 22, 2022
@jeremymeng
Copy link
Member

@chientrm Thank you for your contribution! Could you please update the version number to 2.6.1 in package.json and lib/util/constants.ts? Please also add an entry in the Changelog.md

@ramya-rao-a
Copy link
Contributor

@jeremymeng Do we need this update given that semver will ensure the latest version is served?

@jeremymeng
Copy link
Member

@ramya-rao-a I feel it's ok to ensure minimum version to get the security fixes. This sounds a good topic to discuss in our team meeting.

@ghost
Copy link

ghost commented Jan 25, 2022
edited by ghost
Loading

CLA assistant check
All CLA requirements met.

@chientrm
Copy link
Contributor Author

@chientrm Thank you for your contribution! Could you please update the version number to 2.6.1 in package.json and lib/util/constants.ts? Please also add an entry in the Changelog.md

I updated the version numbers and added an entry in the Changelog.

jeremymeng
jeremymeng approved these changes Jan 26, 2022
View reviewed changes
Copy link
Member

@jeremymeng jeremymeng left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the contribution!

@jeremymeng jeremymeng merged commit 66c298f into Azure:master Jan 26, 2022
@jeremymeng
Copy link
Member

@chientrm if a dependency version with security fixes falls into our semver range (in this case ^2.6.0), in general customer should be able to get the update without any changes needed in ms-rest-js. Here's a discussion on how to get the update: Azure/azure-sdk-for-js#19138 (comment)

@chientrm
Copy link
Contributor Author

@chientrm if a dependency version with security fixes falls into our semver range (in this case ^2.6.0), in general customer should be able to get the update without any changes needed in ms-rest-js. Here's a discussion on how to get the update: Azure/azure-sdk-for-js#19138 (comment)

Had just checked npm audit and those critical vulnerabilities are gone.

Thank you so much for your response.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jeremymeng jeremymeng jeremymeng approved these changes

@deyaaeldeen deyaaeldeen Awaiting requested review from deyaaeldeen deyaaeldeen is a code owner

@ramya-rao-a ramya-rao-a Awaiting requested review from ramya-rao-a

@xirzec xirzec Awaiting requested review from xirzec xirzec is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@chientrm @jeremymeng @ramya-rao-a