Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

fix(package): update sockjs-client v1.1.5...1.3.0 (url-parse vulnerability) #1537

Merged
merged 1 commit into from
Oct 23, 2018
Merged

fix(package): update sockjs-client v1.1.5...1.3.0 (url-parse vulnerability) #1537

merged 1 commit into from
Oct 23, 2018

Conversation

sarbbottam
Copy link
Contributor

  • This is a bugfix
  • This is a code refactor
  • This is a test update
  • This is a typo fix
  • This is a metadata update

For Bugs and Features; did you add new tests?

N/A - the bug is not in webpack-dev-server but a dependency.

Motivation / Use-Case

Incorrect parsing in url-parse <1.4.3 returns wrong hostname which leads to multiple vulnerabilities such as SSRF, Open Redirect, Bypass Authentication Protocol.
Please refer https://nvd.nist.gov/vuln/detail/CVE-2018-3774 for further details.

Breaking Changes

NA

Additional Info

NA

@jsf-clabot
Copy link

jsf-clabot commented Oct 23, 2018
edited
Loading

CLA assistant check
All committers have signed the CLA.

@michael-ciniawsky michael-ciniawsky changed the title fix(url-parse): updated sockjs-client to address url-parse vulnerability fix(package): update sockjs-client v1.1.5...1.3.0 (url-parse vulnerability) Oct 23, 2018
@michael-ciniawsky michael-ciniawsky added this to the 3.1.10 milestone Oct 23, 2018
michael-ciniawsky
michael-ciniawsky approved these changes Oct 23, 2018
View reviewed changes
Copy link
Member

@michael-ciniawsky michael-ciniawsky left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sarbbottam Thx

@codecov
Copy link

codecov bot commented Oct 23, 2018
edited
Loading

Codecov Report

Merging #1537 into master will not change coverage.
The diff coverage is n/a.

Impacted file tree graph

@@           Coverage Diff           @@
##           master    #1537   +/-   ##
=======================================
  Coverage   74.02%   74.02%           
=======================================
  Files          10       10           
  Lines         666      666           
=======================================
  Hits          493      493           
  Misses        173      173

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update d2f4902...e0fdbb0. Read the comment docs.

@michael-ciniawsky michael-ciniawsky merged commit e719959 into webpack:master Oct 23, 2018
@michael-ciniawsky
Copy link
Member

Released in v3.1.10 🎉

@michael-ciniawsky michael-ciniawsky removed this from the 3.1.10 milestone Oct 23, 2018
This was referenced Oct 23, 2018
Open
Open
This was referenced Mar 7, 2021
Merged
Open
Open
Open
Open
Merged
Closed
Merged
Open
Closed
This was referenced Mar 13, 2021
Open
Merged
Closed
Open
Merged
Open
Merged
Open
Open
Open
Open
Open
Merged
Open
Closed
Open
Open
Open
Open
Open
Merged
Merged
Merged
Open
Open
Open
Closed
Open
Merged
Open
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@michael-ciniawsky michael-ciniawsky michael-ciniawsky approved these changes

@alexander-akait alexander-akait Awaiting requested review from alexander-akait alexander-akait is a code owner

Assignees
No one assigned
Labels
scope: client semver: patch severity: 1 (security) status: approved type: bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@sarbbottam @jsf-clabot @michael-ciniawsky