Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Deps] update tsconfig-paths #2421

Closed
wants to merge 0 commits into from

Conversation

Alkarex
Copy link

@Alkarex Alkarex commented Apr 1, 2022

Security fix.
See dividab/tsconfig-paths#197
Weaknesses CWE-1321
CVE ID CVE-2021-44906

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

(This currently triggers cascade alerts in many packages using eslint-plugin-import)

@codecov
Copy link

codecov bot commented Apr 1, 2022

Codecov Report

Merging #2421 (28dfe88) into main (d8633c3) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##             main    #2421   +/-   ##
=======================================
  Coverage   95.07%   95.07%           
=======================================
  Files          66       66           
  Lines        2721     2721           
  Branches      915      915           
=======================================
  Hits         2587     2587           
  Misses        134      134           

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update d8633c3...28dfe88. Read the comment docs.

@ljharb
Copy link
Member

ljharb commented Apr 1, 2022

This is fine, but also 100% unnecessary, because it's using a semver range. Reinstall eslint-plugin-import and you'll get an updated copy of all its transitive deps.

@rjhilgefort
Copy link

This is fine, but also 100% unnecessary, because it's using a semver range. Reinstall eslint-plugin-import and you'll get an updated copy of all its transitive deps.

I removed eslint-plugin-import, yarn installed (minimist 1.2.0 went away), installed eslint-plugin-import and the bad version of minimist was back as a dep of json5@1.0.1. Reinstalling doesn't seem to work.

@ljharb
Copy link
Member

ljharb commented Sep 2, 2022

I can't speak to yarn, but npm would properly update it since json5 uses ^ (https://unpkg.com/browse/json5@1.0.1/package.json).

@ljharb
Copy link
Member

ljharb commented Sep 2, 2022

This was updated in 0e80ee3, so, closing this PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

3 participants