Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: resolve dependencies CVE #10984

Merged
merged 3 commits into from
Feb 25, 2018
Merged

chore: resolve dependencies CVE #10984

merged 3 commits into from
Feb 25, 2018

Conversation

ncoden
Copy link
Contributor

@ncoden ncoden commented Feb 23, 2018
edited
Loading

Update (sub-)dependencies:

  • foundation-docs: 856ca90 -> e951418
  • supercollider: 1.4.0 -> 1.4.4
  • panini: 1.4.0 -> 1.6.2

Resolve sub-dependencies CVE:

See:

@ncoden ncoden added this to the 6.4.4 milestone Feb 23, 2018
@DanielRuf
Copy link
Contributor

DanielRuf commented Feb 24, 2018
edited
Loading

handlebars ✔️
marked ❌
uglify-js ❌

npm ls handlebars
+-- foundation-docs@0.2.1 (github:zurb/foundation-docs#5bcace3dfdb3e9288744ed0537a9ae0b0a98cce7)
| `-- handlebars@4.0.11
+-- panini@1.6.2
| `-- handlebars@4.0.11  deduped
`-- supercollider@1.4.3
  `-- handlebars@4.0.11  deduped
npm ls marked
+-- foundation-docs@0.2.1 (github:zurb/foundation-docs#5bcace3dfdb3e9288744ed0537a9ae0b0a98cce7)
| `-- marked@0.3.6
+-- octophant@1.0.1
| `-- sassdoc@2.3.0
|   `-- sassdoc-theme-default@2.6.1
|     `-- sassdoc-extras@2.4.1
|       `-- marked@0.3.6  deduped
+-- panini@1.6.2
| `-- marked@0.3.16
`-- supercollider@1.4.3
  +-- jsdoc-api@1.2.4
  | `-- jsdoc-75lb@3.6.0
  |   `-- marked@0.3.6  deduped
  +-- jsdoc3-parser@1.1.0
  | `-- jsdoc@3.5.5
  |   `-- marked@0.3.6  deduped
  `-- marked@0.3.6  deduped
npm ls uglify-js
+-- foundation-docs@0.2.1 (github:zurb/foundation-docs#5bcace3dfdb3e9288744ed0537a9ae0b0a98cce7)
| `-- handlebars@4.0.11
|   `-- uglify-js@2.8.29
+-- gulp-uglify@2.1.2
| `-- uglify-js@2.8.29
+-- octophant@1.0.1
| `-- sassdoc@2.3.0
|   `-- sassdoc-theme-default@2.6.1
|     +-- html-minifier@3.5.5
|     | `-- uglify-js@3.1.3
|     `-- swig@1.4.0
|       `-- uglify-js@2.4.24
+-- webpack@3.5.5
| `-- uglifyjs-webpack-plugin@0.4.6
|   `-- uglify-js@2.8.29
`-- webpack-stream@3.2.0
  `-- webpack@1.15.0
    `-- uglify-js@2.7.5

https://github.com/zurb/foundation-docs/blob/master/package.json#L35

Seems the docs, octophant / sassdoc, jsdoc and supercollider still pull the wrong vulnerable marked version.

And sassdoc still uses uglify-js@2.4.24 in swig (which is not maintained anymore).
https://github.com/paularmstrong/swig/blob/master/package.json#L21

I guess either the lockfiles are not properly updated (npm ls outdated) or we have to change more deps in package.json files.

@DanielRuf
Copy link
Contributor

https://github.com/node-swig/swig-templates could be a solution
SassDoc/sassdoc-theme-default#96

@DanielRuf
Copy link
Contributor

jsdoc-api and jsdoc3-parser are also candidates for updates.

https://github.com/SassDoc/sassdoc-extras/commits/master

@ncoden
Copy link
Contributor Author

ncoden commented Feb 24, 2018
edited
Loading

@DanielRuf

  • ✅ Resolved with chore: resolve dependencies CVE foundation-docs#28:

    +-- foundation-docs@0.2.1 (github:zurb/foundation-docs#5bcace3dfdb3e9288744ed0537a9ae0b0a98cce7)
| `-- marked@0.3.6                    --- ^0.3.5 (locked to 0.3.9) -> ^0.3.14 (locked to 0.3.14)

  • ✅ Resolved with chore: resolve marked CVE supercollider#18 (require chore: resolve dependencies CVE foundation-docs#28):

    +-- foundation-docs@0.2.1 (github:zurb/foundation-docs#5bcace3dfdb3e9288744ed0537a9ae0b0a98cce7)
| `-- marked@0.3.6                    --- ^0.3.2 -> ^0.3.14 (locked to 0.3.16)
+-- panini@1.6.2
| `-- marked@0.3.16
`-- supercollider@1.4.3
  +-- jsdoc-api@1.2.4
  | `-- jsdoc-75lb@3.6.0
  |   `-- marked@0.3.6               --- ~0.3.6 (unlocked) -> ~0.3.6 (locked to 0.3.14)
  +-- jsdoc3-parser@1.1.0
  | `-- jsdoc@3.5.5
  |   `-- marked@0.3.6               --- ~0.3.6 (unlocked) -> ~0.3.6 (locked to 0.3.14)
  `-- marked@0.3.6                   --- ^0.3.5 (locked to 0.3.9) -> ^0.3.14 (locked to 0.3.14)

  • ✅ Resolved with an update of package-lock.json

    +-- octophant@1.0.1
| `-- sassdoc@2.3.0
|   `-- sassdoc-theme-default@2.6.1
|     `-- sassdoc-extras@2.4.1
|       `-- marked@0.3.6              --- ^0.3.9 (unlocked) -> ^0.3.9 (locked to 0.3.14)

  • ❌ Unresolved:

    +-- octophant@1.0.1
| `-- sassdoc@2.3.0
|   `-- sassdoc-theme-default@2.6.1
|     `-- swig@1.4.0                    --- require `uglify-js@~2.4`
|       `-- uglify-js@2.4.24

But the last one is not a problem as we do not use the SassDoc default theme.

@ncoden ncoden changed the title chore: update dependencies with CVE chore: resolve dependencies CVE Feb 25, 2018
DanielRuf
DanielRuf approved these changes Feb 25, 2018
View reviewed changes
Copy link
Contributor

@DanielRuf DanielRuf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me so far (after the new PRs will be applied) 👍

@ncoden
Copy link
Contributor Author

ncoden commented Feb 25, 2018 

➜  foundation-sites git:(chore/update-packages-cve) npm ls handlebars marked uglify-js
foundation-sites@6.4.3 /Users/ncoden/Documents/Documents/Projects/Programmation/Web/2016/Foundation/dev/foundation-sites
├─┬ foundation-docs@0.2.1 (github:zurb/foundation-docs#e95141823f1248fd62a83ed5999cdd979cacd9e5)
│ ├─┬ handlebars@4.0.11
│ │ └── uglify-js@2.8.29
│ └── marked@0.3.16
├─┬ gulp-uglify@2.1.2
│ └── uglify-js@2.8.29
├─┬ octophant@1.0.1
│ └─┬ sassdoc@2.3.0
│   └─┬ sassdoc-theme-default@2.6.1
│     ├─┬ html-minifier@3.5.5
│     │ └── uglify-js@3.1.3
│     ├─┬ sassdoc-extras@2.4.1
│     │ └── marked@0.3.16  deduped
│     └─┬ swig@1.4.0
│       └── uglify-js@2.4.24
├─┬ panini@1.6.2
│ ├── handlebars@4.0.11  deduped
│ └── marked@0.3.16
├─┬ supercollider@1.4.4
│ ├── handlebars@4.0.11  deduped
│ ├─┬ jsdoc-api@1.2.4
│ │ └─┬ jsdoc-75lb@3.6.0
│ │   └── marked@0.3.16
│ ├─┬ jsdoc3-parser@1.1.0
│ │ └─┬ jsdoc@3.5.5
│ │   └── marked@0.3.16  deduped
│ └── marked@0.3.16
├─┬ webpack@3.5.5
│ └─┬ uglifyjs-webpack-plugin@0.4.6
│   └── uglify-js@2.8.29
└─┬ webpack-stream@3.2.0
  └─┬ webpack@1.15.0
    └── uglify-js@2.7.5

So LGTM

@ncoden ncoden merged commit 3e2fe20 into foundation:develop Feb 25, 2018
@DanielRuf
Copy link
Contributor

awesome 👍

@ncoden ncoden deleted the chore/update-packages-cve branch April 7, 2018 17:42
ncoden added a commit to ncoden/foundation-sites that referenced this pull request Jun 16, 2018
@ncoden
Use pull request foundation#10984 from ncoden/chore/update-packages-c…
6a70656 
…ve for v6.5.0

c19edff chore: update dependencies with CVE
bbb08ae chore: update  to 1.4.4
974c89a chore: update

Signed-off-by: Nicolas Coden <nicolas@ncoden.fr>
This was referenced Jun 16, 2018
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DanielRuf DanielRuf DanielRuf approved these changes

Assignees
No one assigned
Labels
💻 maintenance security
Projects
None yet
Milestone
6.5.0
Development

Successfully merging this pull request may close these issues.
2 participants
@ncoden @DanielRuf