Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Run npm audit fix #28866

Merged
merged 2 commits into from
Jan 20, 2024
Merged

Run npm audit fix #28866

merged 2 commits into from
Jan 20, 2024

Conversation

yardenshoham
Copy link
Member

The output of npm audit before this change:

$ npm audit
# npm audit report

vite  5.0.0 - 5.0.11
Severity: high
Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem - https://github.com/advisories/GHSA-c24v-8rfc-w8vw
fix available via `npm audit fix`
node_modules/vite

1 high severity vulnerability

To address all issues, run:
  npm audit fix

After:

$ npm audit
found 0 vulnerabilities

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Jan 20, 2024
@pull-request-size pull-request-size bot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Jan 20, 2024
@denyskon denyskon added the giteabot/update-branch Hint for the bot that it should update a PR with the latest state on main label Jan 20, 2024
@GiteaBot GiteaBot removed the giteabot/update-branch Hint for the bot that it should update a PR with the latest state on main label Jan 20, 2024
@denyskon denyskon added the giteabot/update-branch Hint for the bot that it should update a PR with the latest state on main label Jan 20, 2024
@GiteaBot GiteaBot removed the giteabot/update-branch Hint for the bot that it should update a PR with the latest state on main label Jan 20, 2024
@denyskon
Copy link
Member

@yardenshoham Could you update the branch? Seems like the bot won't 😆

@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Jan 20, 2024
@yardenshoham
Run npm audit fix
20f9586 
Output of `npm audit` before this change:

```
$ npm audit
# npm audit report

vite  5.0.0 - 5.0.11
Severity: high
Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem - GHSA-c24v-8rfc-w8vw
fix available via `npm audit fix`
node_modules/vite

1 high severity vulnerability

To address all issues, run:
  npm audit fix
```

After:

```
found 0 vulnerabilities
```
@denyskon denyskon added type/dependency-update skip-changelog This PR is irrelevant for the (next) changelog, for example bug fixes for unreleased features. labels Jan 20, 2024
@denyskon denyskon added the backport/v1.21 This PR should be backported to Gitea 1.21 label Jan 20, 2024
@denyskon denyskon added this to the 1.22.0 milestone Jan 20, 2024
@yardenshoham
Copy link
Member Author

I don't think the backport will work

@denyskon denyskon removed the backport/v1.21 This PR should be backported to Gitea 1.21 label Jan 20, 2024
@denyskon
Copy link
Member

Maybe you're right, merging package-lock can fail in many possible ways.....

@techknowlogick
Copy link
Member

I think it's ok not to backport this as it affects the vite dev server which we don't use.

@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Jan 20, 2024
@techknowlogick techknowlogick enabled auto-merge (squash) January 20, 2024 15:28
@yardenshoham yardenshoham added the reviewed/wait-merge This pull request is part of the merge queue. It will be merged soon. label Jan 20, 2024
@techknowlogick techknowlogick merged commit 6c771a3 into go-gitea:main Jan 20, 2024
@GiteaBot GiteaBot removed the reviewed/wait-merge This pull request is part of the merge queue. It will be merged soon. label Jan 20, 2024
@yardenshoham yardenshoham deleted the npm-audit branch January 20, 2024 15:40
zjjhot added a commit to zjjhot/gitea that referenced this pull request Jan 22, 2024
@zjjhot
Merge remote-tracking branch 'giteaofficial/main'
d2370bc 
* giteaofficial/main:
  [skip ci] Updated licenses and gitignores
  Prevent anonymous container access if `RequireSignInView` is enabled (go-gitea#28877)
  Don't show new pr button when page is not compare pull (go-gitea#26431)
  Avoid duplicate JS error messages on UI (go-gitea#28873)
  Fix branch list bug which displayed default branch twice (go-gitea#28878)
  Revert adding htmx until we finaly decide to add it (go-gitea#28879)
  Don't do a full page load when clicking the follow button (go-gitea#28872)
  Don't do a full page load when clicking the subscribe button (go-gitea#28871)
  Fix incorrect PostgreSQL connection string for Unix sockets (go-gitea#28865)
  Run `npm audit fix` (go-gitea#28866)
  Fix migrate storage bug (go-gitea#28830)
  Set the `isPermaLink` attribute to `false` in the `guid` sub-element (go-gitea#28860)
  In administration documentation about environment variables, point to those for the Go runtime instead of Go compiler (go-gitea#28859)
  Move doctor package from modules to services (go-gitea#28856)
  Add support for sha256 repositories (go-gitea#23894)
  Fix incorrect action duration time when rerun the job before executed once (go-gitea#28364)
  Fix some RPM registry flaws (go-gitea#28782)
  tests: missing refs/ in bare repositories (go-gitea#28844)
  Fix archive creating LFS hooks and breaking pull requests (go-gitea#28848)
henrygoodman pushed a commit to henrygoodman/gitea that referenced this pull request Jan 31, 2024
@yardenshoham
Run npm audit fix (go-gitea#28866)
00c2d9c
silverwind pushed a commit to silverwind/gitea that referenced this pull request Feb 20, 2024
@yardenshoham @silverwind
Run npm audit fix (go-gitea#28866)
ab6d63a
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 6, 2024
# for free to subscribe to this conversation on GitHub. Already have an account? #.
Reviewers

@techknowlogick techknowlogick techknowlogick approved these changes

@denyskon denyskon denyskon approved these changes

Assignees
No one assigned
Labels
lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. skip-changelog This PR is irrelevant for the (next) changelog, for example bug fixes for unreleased features.
Projects
None yet
Milestone
1.22.0
Development

Successfully merging this pull request may close these issues.
4 participants
@yardenshoham @denyskon @techknowlogick @GiteaBot