-
-
Notifications
You must be signed in to change notification settings - Fork 6.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security issue: please update Acorn #9643
Comments
I believe the root issue is with The latest jsdom package.json depends on acorn-globals |
When the dependency of jsdom is upgraded from |
For anyone having this:
Until ForbesLindesay/acorn-globals#50 or ForbesLindesay/acorn-globals#56 (@EmmaGoodliffe's) get merged. |
ForbesLindesay/acorn-globals#53 ForbesLindesay/acorn-globals#56 ForbesLindesay/acorn-globals#50 jestjs/jest#9643 jsdom/jsdom#2882 Signed-off-by: Charlike Mike Reagent <opensource@tunnckocore.com>
FWIW |
jsdom 16.2.1 is released and acorn is upgraded to 7.1.1 Thanks |
@railsstudent Can you please help me with the steps to fix this issue? |
Upgrading JSDOM is a breaking change, so it won't be done until the next major. You can use This is yet another case of npm complaining about regex dos attacks against a dev dependency, so 0% chance of it being exploited 🤷♂ |
That said, I'm not getting this warning? $ docker run -it node:13-alpine sh -c 'mkdir dir; cd dir; npm init -y; npm i -D jest; npm audit'
Wrote to /dir/package.json:
{
"name": "dir",
"version": "1.0.0",
"description": "",
"main": "index.js",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"keywords": [],
"author": "",
"license": "ISC"
}
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@^2.1.2 (node_modules/jest-haste-map/node_modules/fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@2.1.2: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"})
npm WARN dir@1.0.0 No description
npm WARN dir@1.0.0 No repository field.
+ jest@25.1.0
added 486 packages from 285 contributors and audited 1203821 packages in 23.344s
23 packages are looking for funding
run `npm fund` for details
found 0 vulnerabilities
=== npm audit security report ===
found 0 vulnerabilities
in 1203821 scanned packages |
@SimenB Together with the "kind-of" dependency vulnerability mentioned in #9648 (which is closed as duplicate), it looks a bit different in our project: Where almost all results are coming from jest. Two days ago it were 0 vulnerabilities. |
The fix was backported to acorn If you have an existing install, make sure you are using the latest version of jest I believe this issue should now be closed. |
This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
The text was updated successfully, but these errors were encountered: