Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Force dependencies on async to v 3.2.3 - main branch #4194

Merged
merged 1 commit into from
Apr 28, 2022
Merged

fix: Force dependencies on async to v 3.2.3 - main branch #4194

merged 1 commit into from
Apr 28, 2022

Conversation

BruceHaley
Copy link
Contributor

@BruceHaley BruceHaley commented Apr 15, 2022
edited
Loading

Fixes #4188

Description

This fixes the high severity Component Governance alerts for async. Example alert.
The alerts recommend "Upgrade async...to 3.2.2 to fix the vulnerability." V 3.2.3 is now the latest, so using that one.

The parent dependency, adal-node 0.2.3, has no updates available. And migrating to its replacement, ADAL for Node.js, requires code rewrites. So I have tried here forcing the async dependency to a safe version. The adal-node dependency tree:

botframework-connector@4.1.6 C:\src\botbuilder-js\libraries\botframework-connector
`-- adal-node@0.2.3
  `-- async@2.6.3

Specific Changes

Add "async": "3.2.3" to the "resolutions" section of package.json file. Yarn picks that up and forces all dependencies to use that version.

Testing

This fix was incorporated in packages with version number v4.16.0-dev.20220415.369fcc4 and pushed to MyGet for testing.
The packages were tested in the 8 Samples E2E test pipelines for JS and for TS, and they all passed.

@BruceHaley BruceHaley changed the title Force dependencies on async to v 3.2.3 - main branch fix: Force dependencies on async to v 3.2.3 - main branch Apr 15, 2022
@coveralls
Copy link

coveralls commented Apr 15, 2022
edited
Loading

Pull Request Test Coverage Report for Build 2174146596

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage decreased (-0.003%) to 84.482%
Totals Coverage Status
Change from base Build 2172847391: -0.003%
Covered Lines: 19909
Relevant Lines: 22316
💛 - Coveralls

@BruceHaley BruceHaley requested a review from tracyboehrer April 15, 2022 20:20
@BruceHaley BruceHaley marked this pull request as ready for review April 15, 2022 20:20
@BruceHaley BruceHaley requested a review from a team as a code owner April 15, 2022 20:20
@sw-joelmut sw-joelmut mentioned this pull request Apr 18, 2022
Closed
@BruceHaley BruceHaley mentioned this pull request Apr 19, 2022
Closed
@tracyboehrer tracyboehrer merged commit 940e63d into main Apr 28, 2022
@tracyboehrer tracyboehrer deleted the bruce/asyncoverride4-15b branch April 28, 2022 19:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tracyboehrer tracyboehrer tracyboehrer approved these changes

@EricDahlvang EricDahlvang Awaiting requested review from EricDahlvang

@mrivera-ms mrivera-ms Awaiting requested review from mrivera-ms

@johnataylor johnataylor Awaiting requested review from johnataylor

@LeeParrishMSFT LeeParrishMSFT Awaiting requested review from LeeParrishMSFT

@gabog gabog Awaiting requested review from gabog

@msomanathan msomanathan Awaiting requested review from msomanathan

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Security Vulnerability with adal-node dependency in botframework-connector
3 participants
@BruceHaley @coveralls @tracyboehrer