Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

High severity security vulnerability "simple-get" dependency #692

Closed
sven-seyfert opened this issue Jan 29, 2022 · 8 comments
Closed

High severity security vulnerability "simple-get" dependency #692

sven-seyfert opened this issue Jan 29, 2022 · 8 comments
Assignees
@joaomoreno
Labels
blocked upstream dependencies Pull requests that update a dependency file released
Milestone
February 2022

Comments

@sven-seyfert
Copy link

sven-seyfert commented Jan 29, 2022
edited
Loading

Hi folks,

could you please have a look on this: CVE-2022-0355

Dependabot:

Dependabot cannot update simple-get to a non-vulnerable version
The latest possible version that can be installed is 3.1.0 because of the following conflicting dependency:
vsce@2.6.4 requires simple-get@^3.0.3 via a transitive dependency on prebuild-install@6.1.4
The earliest fixed version is 4.0.1.

Screenshot:
grafik

Thanks for your work folks and I am grateful to see a fix 😀👍 .

Best regards
Sven

Stay innovative!
@joaomoreno
Copy link
Member

joaomoreno commented Jan 31, 2022
edited
Loading

There is nothing vsce can do until prebuild-install or keytar release new versions.

@joaomoreno joaomoreno self-assigned this Jan 31, 2022
@joaomoreno
Copy link
Member

Blocked by atom/node-keytar#441

@felipecrs felipecrs mentioned this issue Jan 31, 2022
Closed
@andyleejordan
Copy link
Member

The last commit made to node-keytar was November 2021, so we might all be waiting for a while.

@andyleejordan
Copy link
Member

FYI node-keytar got their dependency updated this morning in atom/node-keytar#443 so I would expect to see a new release from them pretty dang soon.

@sergiou87
Copy link

Hi all! 👋

We released keytar v7.8.0 yesterday with the latest versions of those dependencies, I hope that helps!

And we're very sorry if this caused any inconvenience to you 😓

@andyleejordan
Copy link
Member

Thanks so much @sergiou87!

@joaomoreno joaomoreno added blocked upstream dependencies Pull requests that update a dependency file labels Feb 3, 2022
@joaomoreno joaomoreno added this to the February 2022 milestone Feb 3, 2022
@github-actions
Copy link

github-actions bot commented Feb 3, 2022

🎉 This issue has been resolved in version 2.6.7 🎉

The release is available on:

Your semantic-release bot 📦🚀

@sven-seyfert
Copy link
Author

Awesome folks, thanks to all of you 😊 .

wandyezj pushed a commit to wandyezj/vscode-vsce that referenced this issue Mar 1, 2022
@joaomoreno
fix: address security vulnerabilities
43e590c 
Closes: microsoft#692
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@joaomoreno joaomoreno

Labels
blocked upstream dependencies Pull requests that update a dependency file released
Projects
None yet
Milestone
February 2022
Development

No branches or pull requests
4 participants
@joaomoreno @sergiou87 @andyleejordan @sven-seyfert