-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore: resolve dependencies CVE #10984
Conversation
See: * foundation/supercollider#16 * foundation/panini#158 * foundation/foundation-docs#27 Update packages: * `handlebars`: `2.0.0`-> `4.0.1` (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8861) * `uglify-js`: `2.3.6` -> `2.8.29` (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8857, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8858) * `marked`: `0.3.6` -> `0.3.14` (https://nvd.nist.gov/vuln/detail/CVE-2017-1000427)
handlebars ✔️ npm ls handlebars
+-- foundation-docs@0.2.1 (github:zurb/foundation-docs#5bcace3dfdb3e9288744ed0537a9ae0b0a98cce7)
| `-- handlebars@4.0.11
+-- panini@1.6.2
| `-- handlebars@4.0.11 deduped
`-- supercollider@1.4.3
`-- handlebars@4.0.11 deduped npm ls marked
+-- foundation-docs@0.2.1 (github:zurb/foundation-docs#5bcace3dfdb3e9288744ed0537a9ae0b0a98cce7)
| `-- marked@0.3.6
+-- octophant@1.0.1
| `-- sassdoc@2.3.0
| `-- sassdoc-theme-default@2.6.1
| `-- sassdoc-extras@2.4.1
| `-- marked@0.3.6 deduped
+-- panini@1.6.2
| `-- marked@0.3.16
`-- supercollider@1.4.3
+-- jsdoc-api@1.2.4
| `-- jsdoc-75lb@3.6.0
| `-- marked@0.3.6 deduped
+-- jsdoc3-parser@1.1.0
| `-- jsdoc@3.5.5
| `-- marked@0.3.6 deduped
`-- marked@0.3.6 deduped npm ls uglify-js
+-- foundation-docs@0.2.1 (github:zurb/foundation-docs#5bcace3dfdb3e9288744ed0537a9ae0b0a98cce7)
| `-- handlebars@4.0.11
| `-- uglify-js@2.8.29
+-- gulp-uglify@2.1.2
| `-- uglify-js@2.8.29
+-- octophant@1.0.1
| `-- sassdoc@2.3.0
| `-- sassdoc-theme-default@2.6.1
| +-- html-minifier@3.5.5
| | `-- uglify-js@3.1.3
| `-- swig@1.4.0
| `-- uglify-js@2.4.24
+-- webpack@3.5.5
| `-- uglifyjs-webpack-plugin@0.4.6
| `-- uglify-js@2.8.29
`-- webpack-stream@3.2.0
`-- webpack@1.15.0
`-- uglify-js@2.7.5 https://github.com/zurb/foundation-docs/blob/master/package.json#L35 Seems the docs, octophant / sassdoc, jsdoc and supercollider still pull the wrong vulnerable marked version. And sassdoc still uses uglify-js@2.4.24 in swig (which is not maintained anymore). I guess either the lockfiles are not properly updated (npm ls outdated) or we have to change more deps in package.json files. |
https://github.com/node-swig/swig-templates could be a solution |
jsdoc-api and jsdoc3-parser are also candidates for updates. https://github.com/SassDoc/sassdoc-extras/commits/master |
But the last one is not a problem as we do not use the SassDoc default theme. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me so far (after the new PRs will be applied) 👍
So LGTM |
awesome 👍 |
Update (sub-)dependencies:
foundation-docs
: 856ca90 -> e951418supercollider
:1.4.0
->1.4.4
panini
:1.4.0
->1.6.2
Resolve sub-dependencies CVE:
handlebars
:2.0.0
->4.0.1
(CVE 2015-8861)uglify-js
:2.3.6
->2.8.29
(CVE 2015-8857, CVE 2015-8858)marked
:0.3.6
->0.3.14
(CVE 2017-1000427)See:
marked
CVE supercollider#18 chore: chore: resolvemarked
CVE (@ncoden)