Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

js-yaml needs to be updated (and should have a range version) #3876

Closed
kaiyoma opened this issue Apr 15, 2019 · 7 comments · Fixed by #3877
Closed

js-yaml needs to be updated (and should have a range version) #3876

kaiyoma opened this issue Apr 15, 2019 · 7 comments · Fixed by #3877
Labels
area: security involving vulnerabilities semver-patch implementation requires increase of "patch" version number; "bug fixes"

Comments

@kaiyoma
Copy link

kaiyoma commented Apr 15, 2019

Description

js-yaml has a new security vulnerability: https://www.npmjs.com/advisories/813

For some reason, a specific version (3.13.0) is being specified in package.json. Why isn't this a range?

Steps to Reproduce

Install the latest version of mocha, then run yarn audit.

Expected behavior:
No vulnerabilities found.

Actual behavior:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ Code Injection                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ js-yaml                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.13.1                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ mocha                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ mocha > js-yaml                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/813                         │
└───────────────┴──────────────────────────────────────────────────────────────┘

Versions

mocha 6.1.3
@bjornstar bjornstar mentioned this issue Apr 16, 2019
Merged
@soatok
Copy link

soatok commented Apr 16, 2019

This is giving me a sev:high security alert when I run npm audit :(

@meszaros-lajos-gyorgy
Copy link

Someone is being really active at npm, going through js-yaml with a fine tooth comb. The last issue was reported in less than a month: https://www.npmjs.com/advisories/788

This was referenced Apr 16, 2019
Merged
Closed
@fsinisi90
Copy link

fsinisi90 commented Apr 16, 2019
edited
Loading

Same warning here, npm audit --force fix wasn't fixing it.

I had to update the package.json of mocha manually with:

"js-yaml": "3.13.1"

@anastasia-b
Copy link

Do you have any idea on when the PR will get merged? Our team is very eager for this security fix :)

@HaaLeo HaaLeo mentioned this issue Apr 16, 2019
Merged
TheGoddessInari added a commit to TheGoddessInari/hamsket that referenced this issue Apr 16, 2019
@TheGoddessInari
Update electron-builder and mocha because of https://www.npmjs.com/ad…
01dceeb 
…visories/813.

Still doesn't fully fix it for mocha, but that's tracked at mochajs/mocha#3876.
@AlexZeitler AlexZeitler mentioned this issue Apr 17, 2019
Open
@plroebuck plroebuck added area: security involving vulnerabilities semver-patch implementation requires increase of "patch" version number; "bug fixes" and removed unconfirmed-bug labels Apr 17, 2019
@yelworc
Copy link

yelworc commented Apr 18, 2019

Out of curiosity, what is the rationale behind pinning exact dependency versions in package.json (@plroebuck)? Why not at least use the tilde operator, so npm audit can fix issues like this one without having to wait for the next mocha release? Did a quick search in this repo and the maintainers doc but couldn't find any explanation.

@boneskull boneskull mentioned this issue Apr 18, 2019
Closed
4 tasks
@boneskull
Copy link
Contributor

released as v6.1.4

@tehshane
Copy link

Thanks! 🙌

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
area: security involving vulnerabilities semver-patch implementation requires increase of "patch" version number; "bug fixes"
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update js-yaml from 3.13.0 to 3.13.1 bjornstar/mocha
9 participants
@yelworc @boneskull @anastasia-b @meszaros-lajos-gyorgy @tehshane @soatok @kaiyoma @fsinisi90 @plroebuck