Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2022-36313 found in file-type #204

Closed
andreainnocenti opened this issue Jul 25, 2022 · 3 comments · Fixed by #205
Closed

CVE-2022-36313 found in file-type #204

andreainnocenti opened this issue Jul 25, 2022 · 3 comments · Fixed by #205
Labels
released

Comments

@andreainnocenti
Copy link

https://security.snyk.io/vuln/SNYK-JS-FILETYPE-2958042

this project imports an old version of file-type and now a vulnerability has been discovered.
@TannerS
Copy link

TannerS commented Jul 25, 2022

This is appearing as a moderate in multiple ibm projects

@dpopp07
Copy link
Member

dpopp07 commented Jul 25, 2022

Thanks for the issue - I'm investigating and should have a patch out soon

@dpopp07 dpopp07 mentioned this issue Jul 25, 2022
Merged
dpopp07 added a commit that referenced this issue Jul 28, 2022
@dpopp07
fix: update file-type to resolve vulnerability
d7b60c1 
The `file-type` package has a vulnerability that persists until v16.5.4. This
commit updates the package to v16.5.4 to avoid the vulnerability. However, the
package update required changes in how we use the package in our code which
resulted in incompatible updates to a couple of functions that are part of our
public API. Though it is unlikely these functions are being widely used, this
change will need to go into a new major version.

BREAKING CHANGE: two synchronous public functions are now asynchronous

The function `getContentType` formerly returned a string but now returns a
Promise that resolves to a string. The function `buildRequestFileObject`
formerly returned a `FileObject` but now returns a Promise that resolves to
a `FileObject`.

Fixes #204

Signed-off-by: Dustin Popp <dpopp07@gmail.com>
dpopp07 added a commit that referenced this issue Jul 28, 2022
@dpopp07
fix: update file-type to resolve vulnerability (#205)
843e66d 
The `file-type` package has a vulnerability that persists until v16.5.4. This
commit updates the package to v16.5.4 to avoid the vulnerability. However, the
package update required changes in how we use the package in our code which
resulted in incompatible updates to a couple of functions that are part of our
public API. Though it is unlikely these functions are being widely used, this
change will need to go into a new major version.

BREAKING CHANGE: two synchronous public functions are now asynchronous

The function `getContentType` formerly returned a string but now returns a
Promise that resolves to a string. The function `buildRequestFileObject`
formerly returned a `FileObject` but now returns a Promise that resolves to
a `FileObject`.

Fixes #204

Signed-off-by: Dustin Popp <dpopp07@gmail.com>
ibm-devx-sdk pushed a commit that referenced this issue Jul 28, 2022
@semantic-release-bot
chore(release): 3.0.0 [skip ci]
552239b 
# [3.0.0](v2.17.15...v3.0.0) (2022-07-28)

### Bug Fixes

* update file-type to resolve vulnerability ([#205](#205)) ([843e66d](843e66d)), closes [#204](#204)

### BREAKING CHANGES

* two synchronous public functions are now asynchronous

The function `getContentType` formerly returned a string but now returns a
Promise that resolves to a string. The function `buildRequestFileObject`
formerly returned a `FileObject` but now returns a Promise that resolves to
a `FileObject`.
@ibm-devx-sdk
Copy link

🎉 This issue has been resolved in version 3.0.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
released
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: update file-type to resolve vulnerability IBM/node-sdk-core
4 participants
@TannerS @dpopp07 @andreainnocenti @ibm-devx-sdk