Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PDE-2085 chore(cli): bump @oclif/plugin-help to ^3.2.14 to patch vulnerability in sub-dependency #556

Closed
wants to merge 2 commits into from
Closed

PDE-2085 chore(cli): bump @oclif/plugin-help to ^3.2.14 to patch vulnerability in sub-dependency #556

wants to merge 2 commits into from

Conversation

mrjackdavis
Copy link

fixes #555

@mrjackdavis mrjackdavis requested a review from eliangcs as a code owner June 27, 2022 07:44
@mrjackdavis mrjackdavis changed the title chore(cli): bump @oclif/plugin-help to ^3.2.14 chore(cli): bump @oclif/plugin-help to ^3.2.14 to patch vulnerability in sub-dependency Jun 27, 2022
@eliangcs eliangcs changed the title chore(cli): bump @oclif/plugin-help to ^3.2.14 to patch vulnerability in sub-dependency PDE-2085 chore(cli): bump @oclif/plugin-help to ^3.2.14 to patch vulnerability in sub-dependency Jun 28, 2022
eliangcs
eliangcs requested changes Jun 28, 2022
View reviewed changes
Copy link
Member

@eliangcs eliangcs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for fixing! I understand conventionally you'd use a ^ or ~ to auto upgrade the dependencies. But for the packages in this repo, it's more important not to break, so we always use the exact versions to make sure the installation is as deterministic as possible.

packages/cli/package.json
@@ -41,7 +41,7 @@
"@oclif/command": "1.8.0",
"@oclif/config": "1.17.0",
"@oclif/plugin-autocomplete": "0.3.0",
"@oclif/plugin-help": "3.2.2",
"@oclif/plugin-help": "~3.2.14",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For this repo, we always pin the exact version of a dependency, to be extra safe that nothing breaks due to accidental version bump.

Suggested change
"@oclif/plugin-help": "~3.2.14",
"@oclif/plugin-help": "3.2.14",

@mrjackdavis
Copy link
Author

I patched a repo at work with this change, but unfortunately a bunch of other stuff breaks. For some reason that dependency patch version bump has a bunch of breaking changes. I'll swing back here and update the PR when I get time

@AlonNavon
Copy link

@mrjackdavis
Hey Jack, I know this is an old issue, but it's the kind of pain we exist to solve. You want to fix CVE-2021-23337 in lodash.template, but it's a transitive dependency so you have to upgrade @oclif/plugin-help, but the patch version contains breaking changes so a simple version bump won't work. Oldest story in the (open-source) world.

At Seal Security we backport security patches and release them freely to the community. So instead of upgrading @oclif/plugin-help you can just use npm's override feature and override the existing lodash.template version with our own, which is available for free on our artifact server. Hope this will be able to solve your issue (and future similar ones).

If you have any questions, feel free to contact us.

@rnegron rnegron mentioned this pull request Jan 30, 2024
Merged
@rnegron
Copy link
Member

rnegron commented Feb 2, 2024

Fixed in #739. Thanks for flagging this issue!

@rnegron rnegron closed this Feb 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eliangcs eliangcs eliangcs requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Command Injection on sub-dependency lodash.template via @oclif/plugin-help
4 participants
@mrjackdavis @AlonNavon @rnegron @eliangcs