Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update localtunnel package to fix a vulnerable dependency - fixes #1695 #1697

Merged
merged 1 commit into from
Jun 7, 2019
Merged

Update localtunnel package to fix a vulnerable dependency - fixes #1695 #1697

merged 1 commit into from
Jun 7, 2019

Conversation

gaards
Copy link
Contributor

@gaards gaards commented Jun 2, 2019

Updates the localtunnel package to the latest version that includes an updated version of the axios package (which contained a security vulnerability).

Related issue

#1695

pronebird
pronebird approved these changes Jun 3, 2019
View reviewed changes
Copy link

@pronebird pronebird left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Merge it!

hugovk
hugovk approved these changes Jun 3, 2019
View reviewed changes
packages/browser-sync/package.json
@@ -48,7 +48,7 @@
"fs-extra": "3.0.1",
"http-proxy": "1.15.2",
"immutable": "^3",
"localtunnel": "1.9.1",
"localtunnel": "1.9.2",
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
"localtunnel": "1.9.2",
"localtunnel": "^1.9.2",

How about adding a caret range? This would allow >=1.9.2 <2.0.0.

https://yarnpkg.com/en/docs/dependency-versions#toc-caret-ranges

In any case, would be great to get this security issue released as soon as possible, pinned or careted.

Thanks!

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the maintainer(s) are okay with this change it sounds reasonable. What say @shakyShane ?

@jbadan jbadan mentioned this pull request Jun 3, 2019
Closed
@snuggs
Copy link

snuggs commented Jun 4, 2019

@gaards please merge.

snuggs
snuggs approved these changes Jun 4, 2019
View reviewed changes
Copy link

@snuggs snuggs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Can we get this in?

leicht-io
leicht-io approved these changes Jun 7, 2019
View reviewed changes
Copy link

@leicht-io leicht-io left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The only difference from localtunnel 1.9.1 to 1.9.2 is the update of axios to 0.19.0 which has no breaking changes.
This merge looks good.

@shakyShane shakyShane changed the title Update localtunnel package to fix a vulnerable dependency Update localtunnel package to fix a vulnerable dependency - fixes #1695 Jun 7, 2019
@shakyShane shakyShane merged commit 209c9c1 into BrowserSync:master Jun 7, 2019
@shakyShane
Copy link
Contributor

released in browser-sync@2.26.7 - thank you :)

@pronebird pronebird mentioned this pull request Jun 10, 2019
Merged
2 tasks
@snuggs snuggs mentioned this pull request Jan 5, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@udithishara udithishara udithishara approved these changes

@leicht-io leicht-io leicht-io approved these changes

@hugovk hugovk hugovk approved these changes

@pronebird pronebird pronebird approved these changes

@snuggs snuggs snuggs approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@gaards @snuggs @shakyShane @pronebird @hugovk @leicht-io @udithishara