Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: update eslint-utils to 1.4.2 #16992

Merged
merged 1 commit into from
Aug 23, 2019
Merged

chore: update eslint-utils to 1.4.2 #16992

merged 1 commit into from
Aug 23, 2019

Conversation

nikoladev
Copy link
Contributor

Description

From npm's security advisory:

Versions of eslint-utils >=1.2.0 or <1.4.1 are vulnerable to Arbitrary Code Execution. The getStaticValue does not properly sanitize user input allowing attackers to supply malicious input that executes arbitrary code during the linting process. The getStringIfConstant and getPropertyName functions are not affected.

More info:

@nikoladev nikoladev requested a review from a team as a code owner August 23, 2019 11:23
@nikoladev
Copy link
Contributor Author

Oops, I see that I've given the branch an incorrect name! This fix updated eslint-utils to 1.4.2, to be clear.

@wardpeet wardpeet added the status: blocked This issue/PR can't be solved at the moment and shouldn't be closed/merged label Aug 23, 2019
@wardpeet
Copy link
Contributor

wardpeet commented Aug 23, 2019

Hey, changing yarn.lock doesn't really fixes this issue. It will be fixed for yarn users that use this repository but it won't be used by people that install gatsby and create an application with it.

We don't have eslint-utils specified anywhere except our dependencies so we can't really solve this problem. We'll need to upgrade to eslint 6 which we cant as we suport node 8.0 and eslint 6 needs 8.10.0 or something

Edit, this will actually work, don't mind my comments. Thanks for updating!

Copy link
Contributor

@wardpeet wardpeet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me, thanks!

@wardpeet wardpeet changed the title update eslint-utils to 1.4.2 chore: update eslint-utils to 1.4.2 Aug 23, 2019
@wardpeet wardpeet merged commit a7f4f78 into gatsbyjs:master Aug 23, 2019
@wardpeet wardpeet removed the status: blocked This issue/PR can't be solved at the moment and shouldn't be closed/merged label Aug 23, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants