fix: upgrade `@adobe/css-tools` to `4.3.1` to address vulnerability #532

justinbaltazar · 2023-08-30T19:05:02Z

What:
This PR bumps the @adobe/css-tools dependency to 4.3.1

Why:
There is an existing advisory on version 4.3.0:
GHSA-hpx4-r86g-5jrg

How:
Updated package.json.

Checklist:

Documentation
Tests
Updated Type Definitions
Ready to be merged

rakleed · 2023-09-05T15:03:31Z

@jgoz

lritter79 · 2023-09-26T15:47:37Z

@nickmccurdy respectfully bumping since this is causing a an issue as a dependency of okta-signin-widget

ghost · 2023-10-03T13:24:55Z

Bump?

jgoz · 2023-10-03T14:23:12Z

I don't see the point of this change. The existing dependency range will allow package consumers to update the transitive dependency version via npm audit fix or equivalent with other package managers. What am I missing?

lritter79 · 2023-10-04T13:24:59Z

@jgoz I think it's worth adding this change to ensure that consumers of this package are secure since 4.3.0 has a vulnerability, and it would be courteous to just bump the version up and keep this package reliable.

codecov · 2023-10-12T04:53:26Z

Codecov Report

Merging #532 (3d4605e) into main (5b492ac) will not change coverage.
Report is 1 commits behind head on main.
The diff coverage is n/a.

@@            Coverage Diff            @@
##              main      #532   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files           27        27           
  Lines          664       664           
  Branches       251       251           
=========================================
  Hits           664       664

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

github-actions · 2023-10-12T04:58:42Z

🎉 This PR is included in version 6.1.4 🎉

The release is available on:

Your semantic-release bot 📦🚀

nickserv · 2023-10-12T05:04:24Z

Merging since it's just a patch release which shouldn't have breaking changes.

justinbaltazar · 2023-10-13T02:20:38Z

Thanks all!

lernerb · 2023-12-05T11:25:07Z

@justinbaltazar It looks like we need to push the min 4.3.2 based on the latest security patch per GH, not 4.3.1 - I can spin up a quick patch...

GHSA-prr3-c3m5-p7q2

Impact

@adobe/css-tools version 4.3.1 and earlier are affected by an Improper Input Validation vulnerability that could result in a denial of service while attempting to parse CSS.

EDIT: Patch (#555)

##### [`v6.5.0](https://github.com/testing-library/jest-dom/releases/tag/v6.5.0) ##### Features - **toHaveValue:** Asserting aria-valuenow ([#479](testing-library/jest-dom#479)) ([acbf416](testing-library/jest-dom@acbf416)) ##### [`v6.4.8](https://github.com/testing-library/jest-dom/releases/tag/v6.4.8) ##### Bug Fixes - Drop peerDependencies from package.json ([#610](testing-library/jest-dom#610)) ([faf534b](testing-library/jest-dom@faf534b)) ##### [`v6.4.7](https://github.com/testing-library/jest-dom/releases/tag/v6.4.7) ##### Bug Fixes - Type definition of `toHaveClass` ([#611](testing-library/jest-dom#611)) ([5cc6298](testing-library/jest-dom@5cc6298)) ##### [`v6.4.6](https://github.com/testing-library/jest-dom/releases/tag/v6.4.6) ##### Bug Fixes - Support [@starting-style](https://github.com/starting-style) ([#602](testing-library/jest-dom#602)) ([fd9ee68](testing-library/jest-dom@fd9ee68)) ##### [`v6.4.5](https://github.com/testing-library/jest-dom/releases/tag/v6.4.5) ##### Bug Fixes - add js suffix to isEqualWith import ([#599](testing-library/jest-dom#599)) ([e8c8b13](testing-library/jest-dom@e8c8b13)) ##### [`v6.4.4](https://github.com/testing-library/jest-dom/releases/tag/v6.4.4) ##### Bug Fixes - **infra:** codecoverage token addition ([#600](testing-library/jest-dom#600)) ([f03a582](testing-library/jest-dom@f03a582)) ##### [`v6.4.3](https://github.com/testing-library/jest-dom/releases/tag/v6.4.3) ##### Bug Fixes - Updates role support for aria-required attribute in `toBeRequired` ([#590](testing-library/jest-dom#590)) ([20aca33](testing-library/jest-dom@20aca33)) ##### [`v6.4.2](https://github.com/testing-library/jest-dom/releases/tag/v6.4.2) ##### Bug Fixes - Remove errant export of GetByRoleMatcher, fixing type checking in some TS configurations ([#575](testing-library/jest-dom#575)) ([a93c0c4](testing-library/jest-dom@a93c0c4)) ##### [`v6.4.1](https://github.com/testing-library/jest-dom/releases/tag/v6.4.1) ##### Bug Fixes - Export type `TestingLibraryMatchers` from "./matchers" ([#576](testing-library/jest-dom#576)) ([dd1c4dd](testing-library/jest-dom@dd1c4dd)) ##### [`v6.4.0](https://github.com/testing-library/jest-dom/releases/tag/v6.4.0) ##### Features - Add toHaveRole matcher ([#572](testing-library/jest-dom#572)) ([f7dc673](testing-library/jest-dom@f7dc673)) ##### [`v6.3.0](https://github.com/testing-library/jest-dom/releases/tag/v6.3.0) ##### Features - Support for regular expressions in toHaveClass ([#563](testing-library/jest-dom#563)) ([9787ed5](testing-library/jest-dom@9787ed5)) ##### [`v6.2.1](https://github.com/testing-library/jest-dom/releases/tag/v6.2.1) ##### Bug Fixes - Standalone types for "./matchers" export and add Bun support ([#566](testing-library/jest-dom#566)) ([5675b86](testing-library/jest-dom@5675b86)) ##### [`v6.2.0](https://github.com/testing-library/jest-dom/releases/tag/v6.2.0) ##### Features - toHaveAccessibleDescription supports aria-description ([#565](testing-library/jest-dom#565)) ([1fb156c](testing-library/jest-dom@1fb156c)) ##### [`v6.1.6](https://github.com/testing-library/jest-dom/releases/tag/v6.1.6) ##### Bug Fixes - Upgrade [@adobe/css-tools](https://github.com/adobe/css-tools) to v4.3.2 ([#553](testing-library/jest-dom#553)) ([b64b953](testing-library/jest-dom@b64b953)) ##### [`v6.1.5](https://github.com/testing-library/jest-dom/releases/tag/v6.1.5) ##### Bug Fixes - support uppercase custom props in toHaveStyle ([#552](testing-library/jest-dom#552)) ([b7b7c6a](testing-library/jest-dom@b7b7c6a)) ##### [`v6.1.4](https://github.com/testing-library/jest-dom/releases/tag/v6.1.4) ##### Bug Fixes - upgrade `@adobe/css-tools` to `4.3.1` to address vulnerability ([#532](testing-library/jest-dom#532)) ([44f1eab](testing-library/jest-dom@44f1eab)) ##### [`v6.1.3](https://github.com/testing-library/jest-dom/releases/tag/v6.1.3) ##### Bug Fixes - proper [@jest/globals](https://github.com/jest/globals) import ([#530](testing-library/jest-dom#530)) ([5b492ac](testing-library/jest-dom@5b492ac)) ##### [`v6.1.2](https://github.com/testing-library/jest-dom/releases/tag/v6.1.2) ##### Bug Fixes - bump [@adobe/css-tools](https://github.com/adobe/css-tools) for ESM support ([#525](testing-library/jest-dom#525)) ([b959a68](testing-library/jest-dom@b959a68)) ##### [`v6.1.1](https://github.com/testing-library/jest-dom/releases/tag/v6.1.1) ##### Bug Fixes - **package.json:** update main and module file paths ([#523](testing-library/jest-dom#523)) ([853a3e5](testing-library/jest-dom@853a3e5)) ##### [`v6.1.0](https://github.com/testing-library/jest-dom/releases/tag/v6.1.0) ##### Features - Publish ESM and CJS (testing-library/jest-dom#519) ##### [`v6.0.1](https://github.com/testing-library/jest-dom/releases/tag/v6.0.1) ##### Bug Fixes - matchers type is making the global expect unsafe ([#513](testing-library/jest-dom#513)) ([bdb34f1](testing-library/jest-dom@bdb34f1)) ##### [`v6.0.0](https://github.com/testing-library/jest-dom/releases/tag/v6.0.0) ##### Features - local types, supporting jest, [@jest/globals](https://github.com/jest/globals), vitest ([#511](testing-library/jest-dom#511)) ([4b764b9](testing-library/jest-dom@4b764b9)) ##### BREAKING CHANGES - Removes the extend-expect script. Users should use the default import path or one of the new test platform-specific paths to automatically extend the appropriate "expect" instance. extend-expect was not documented in the Readme, so this change should have minimal impact. Users can now use the following import paths to automatically extend "expect" for their chosen test platform: - [@testing-library/jest-dom](https://github.com/testing-library/jest-dom) - jest ([@types/jest](https://github.com/types/jest)) - @testing-library/jest-dom/jest-globals - [@jest/globals](https://github.com/jest/globals) - @testing-library/jest-dom/vitest - vitest For example: import '@testing-library/jest-dom/jest-globals' Importing from one of the above paths will augment the appropriate matcher interface for the given test platform, assuming the import is done in a .ts file that is included in the user's tsconfig.json. It's also (still) possible to import the matchers directly without side effects: import \* as matchers from '@testing-library/jest-dom/matchers' - Update kcd-scripts - Drop node < 14

update @adobe/css-tools to 4.3.1 to address vulnerability

f164191

justinbaltazar changed the title ~~update @adobe/css-tools to 4.3.1 to address vulnerability~~ fix: upgrade @adobe/css-tools to 4.3.1 to address vulnerability Aug 30, 2023

justinbaltazar marked this pull request as ready for review August 30, 2023 19:07

MiladSadeghi approved these changes Sep 26, 2023

View reviewed changes

Merge branch 'main' into jbaltazar/upgrade-adobe-css-tools

3d4605e

nickserv approved these changes Oct 12, 2023

View reviewed changes

nickserv merged commit 44f1eab into testing-library:main Oct 12, 2023
7 checks passed

github-actions bot added the released label Oct 12, 2023

brian-smith-tcril mentioned this pull request Nov 27, 2023

chore(deps-dev): update jest-dom openedx/paragon#2868

Merged

4 tasks

ahussein3 mentioned this pull request Dec 2, 2023

bumb '@testing-library/jest-dom' version to 6.1.4 it's the version where had patched adobe-css vulnerability weaveworks/weave-gitops#4154

Closed

csmartinez22 mentioned this pull request May 23, 2024

[Snyk] Upgrade @testing-library/jest-dom from 6.0.0 to 6.4.2 csmartinez22/csmartinez22.github.io#23

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: upgrade `@adobe/css-tools` to `4.3.1` to address vulnerability #532

fix: upgrade `@adobe/css-tools` to `4.3.1` to address vulnerability #532

justinbaltazar commented Aug 30, 2023 •

edited

Loading

rakleed commented Sep 5, 2023

lritter79 commented Sep 26, 2023 •

edited

Loading

ghost commented Oct 3, 2023

jgoz commented Oct 3, 2023

lritter79 commented Oct 4, 2023

codecov bot commented Oct 12, 2023

github-actions bot commented Oct 12, 2023

nickserv commented Oct 12, 2023

justinbaltazar commented Oct 13, 2023

lernerb commented Dec 5, 2023 •

edited

Loading

fix: upgrade @adobe/css-tools to 4.3.1 to address vulnerability #532

fix: upgrade @adobe/css-tools to 4.3.1 to address vulnerability #532

Conversation

justinbaltazar commented Aug 30, 2023 • edited Loading

rakleed commented Sep 5, 2023

lritter79 commented Sep 26, 2023 • edited Loading

ghost commented Oct 3, 2023

jgoz commented Oct 3, 2023

lritter79 commented Oct 4, 2023

codecov bot commented Oct 12, 2023

Codecov Report

github-actions bot commented Oct 12, 2023

nickserv commented Oct 12, 2023

justinbaltazar commented Oct 13, 2023

lernerb commented Dec 5, 2023 • edited Loading

fix: upgrade `@adobe/css-tools` to `4.3.1` to address vulnerability #532

fix: upgrade `@adobe/css-tools` to `4.3.1` to address vulnerability #532

justinbaltazar commented Aug 30, 2023 •

edited

Loading

lritter79 commented Sep 26, 2023 •

edited

Loading

lernerb commented Dec 5, 2023 •

edited

Loading