From e62c077d4549667de9648cbdc3701d5a4d6ee515 Mon Sep 17 00:00:00 2001 From: vince-fugnitto Date: Mon, 3 Aug 2020 14:14:17 -0400 Subject: [PATCH] security: update 'decompress' dependency The following commit updates the `decompress` dependency to benefit from the security vulnerability fix. Signed-off-by: vince-fugnitto --- CHANGELOG.md | 2 ++ packages/plugin-ext/package.json | 2 +- yarn.lock | 8 ++++---- 3 files changed, 7 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9b5dadea4c253..a39cbc6372ae9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,8 @@ ## v1.5.0 +- [security] updated version range of `decompress` to fix the known [security vulnerability](https://snyk.io/vuln/SNYK-JS-DECOMPRESS-557358) [#8924](https://github.com/eclipse-theia/theia/pull/8294) + - Note: the updated dependency may have a [performance impact](https://github.com/eclipse-theia/theia/pull/7715#issuecomment-667434288) on the deployment of plugins. - [[electron]](#1_5_0_electron_main_extension) Electron applications can now be configured/extended through `inversify`. Added new `electronMain` extension points to provide inversify container modules. [#8076](https://github.com/eclipse-theia/theia/pull/8076) diff --git a/packages/plugin-ext/package.json b/packages/plugin-ext/package.json index 44ef25c0d5a17..2a6ceb39f7e86 100644 --- a/packages/plugin-ext/package.json +++ b/packages/plugin-ext/package.json @@ -27,7 +27,7 @@ "@types/mime": "^2.0.1", "@types/serve-static": "^1.13.3", "connect": "^3.7.0", - "decompress": "4.2.0", + "decompress": "^4.2.1", "escape-html": "^1.0.3", "filenamify": "^4.1.0", "jsonc-parser": "^2.0.2", diff --git a/yarn.lock b/yarn.lock index adba1e52b9307..ea3f498113154 100644 --- a/yarn.lock +++ b/yarn.lock @@ -4846,10 +4846,10 @@ decompress-unzip@^4.0.1: pify "^2.3.0" yauzl "^2.4.2" -decompress@4.2.0: - version "4.2.0" - resolved "https://registry.yarnpkg.com/decompress/-/decompress-4.2.0.tgz#7aedd85427e5a92dacfe55674a7c505e96d01f9d" - integrity sha1-eu3YVCflqS2s/lVnSnxQXpbQH50= +decompress@^4.2.1: + version "4.2.1" + resolved "https://registry.yarnpkg.com/decompress/-/decompress-4.2.1.tgz#007f55cc6a62c055afa37c07eb6a4ee1b773f118" + integrity sha512-e48kc2IjU+2Zw8cTb6VZcJQ3lgVbS4uuB1TfCHbiZIP/haNXm+SVyhu+87jts5/3ROpd82GSVCoNs/z8l4ZOaQ== dependencies: decompress-tar "^4.0.0" decompress-tarbz2 "^4.0.0"