Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump node-fetch from 2.6.1 to 2.6.7 to resolve a security vulnerability #3082

Closed
7 tasks done
Sparky-code opened this issue Apr 25, 2022 · 6 comments · Fixed by #3263
Closed
7 tasks done

Bump node-fetch from 2.6.1 to 2.6.7 to resolve a security vulnerability #3082

Sparky-code opened this issue Apr 25, 2022 · 6 comments · Fixed by #3263
Assignees
@blulady
Labels
Complexity: Medium Feature: Board/GitHub Maintenance Project board maintenance that we have to do repeatedly role: back end/devOps Tasks for back-end developers size: 2pt Can be done in 7-12 hours Status: Updated No blockers and update is ready for review Status: Urgent Needs to be worked on immediately
Milestone
02. Security

Comments

@Sparky-code
Copy link
Member

Sparky-code commented Apr 25, 2022
edited
Loading

Overview

As a developer, I would like website team repo to be free of security vulnerabilities. For this issue, we will address the security vulnerability alert related to node-fetch.

Details

This issue addresses a security issue in node-fetch version < 2.6.7 that was automatically prompted by GitHub's dependabot.

Note: Node-fetch is vulnerable to exposure of sensitive information to an unauthorized actor.

Action Items

  • Enable alerts and updates in your own fork of the Hack for LA website so that they match those in the Hack for LA repository. These settings can be found in the settings tab in your own repo under code security and analysis and is referenced in image 1 below.
  • After enabling the above, you should see an autogenerated PR in your own repository which references the node-fetch vulnerability, images 2 and 3 below.
  • Review package-lock.json file where changes need to be made.
  • Double-check if this update has caused issues and/or unintended changes in repositories that were updated.
  • Include the results of your check as a comment in this issue.
  • Address this PR in your own repository in order to test if the update causes any issues for the Hack for LA website.
  • Pending successful research and testing of the update, create a PR to merge the changes in node-fetch to gh-pages (main).

Resources/Instructions

A page about dependabot and enabling alerts/updates
Package-lock.json file

Image 1

alerts_and_updates_github

Image 2

image

Image 3

image

Is there a dependency?

No

If Yes, please explain

N/A
@Sparky-code Sparky-code added HOLD Not ready to be worked on yet external info needed Feature: Board/GitHub Maintenance Project board maintenance that we have to do repeatedly size: 2pt Can be done in 7-12 hours labels Apr 25, 2022
@github-actions

This comment was marked as resolved.

Sign in to view
@SAUMILDHANKAR SAUMILDHANKAR added role: back end/devOps Tasks for back-end developers and removed role missing labels Apr 26, 2022
@SAUMILDHANKAR SAUMILDHANKAR changed the title Bump node-fetch from 2.6.1 to 2.6.7 in /github-actions/github-data Bump node-fetch from 2.6.1 to 2.6.7 to resolve a security vulnerability Apr 26, 2022
@SAUMILDHANKAR SAUMILDHANKAR added Status: Urgent Needs to be worked on immediately Ready for Prioritization and removed HOLD Not ready to be worked on yet external info needed labels Apr 26, 2022
@ExperimentsInHonesty ExperimentsInHonesty added this to the 02. Security milestone Apr 30, 2022
@JessicaLucindaCheng JessicaLucindaCheng mentioned this issue May 5, 2022
Closed
@JessicaLucindaCheng JessicaLucindaCheng mentioned this issue May 15, 2022
Open
17 tasks
@SAUMILDHANKAR SAUMILDHANKAR mentioned this issue May 17, 2022
Open
12 tasks
@blulady
Copy link
Member

blulady commented May 22, 2022
edited
Loading

ETA: Thursday (5/26)
Availability: Thursday - Saturday (5/26 - 5/28)

@JessicaLucindaCheng
Copy link
Member

JessicaLucindaCheng commented Jun 1, 2022
edited
Loading

@blulady Please move this issue into the "In Progress" column

Edit: I have gone ahead and moved it to the In Progress column this time. However, in the future, please remember to move the issue to the In Progress column at the time you self-assign an issue. Thanks.

@JessicaLucindaCheng JessicaLucindaCheng added the 2 weeks inactive An issue that has not been updated by an assignee for two weeks label Jun 8, 2022
@github-actions
Copy link

@blulady

Please add update using the below template (even if you have a pull request). Afterwards, remove the 'To Update !' label and add the 'Status: Updated' label.

  1. Progress: "What is the current status of your project? What have you completed and what is left to do?"
  2. Blockers: "Difficulties or errors encountered."
  3. Availability: "How much time will you have this week to work on this issue?"
  4. ETA: "When do you expect this issue to be completed?"
  5. Pictures: "Add any pictures of the visual changes made to the site so far."

If you need help, be sure to either: 1) place your issue in the developer meeting discussion column and ask for help at your next meeting, 2) put a "Status: Help Wanted" label on your issue and pull request, or 3) put up a request for assistance on the #hfla-site channel.

You are receiving this comment because your last comment was before Tuesday, June 7, 2022 at 12:21 AM PST.

@blulady
Copy link
Member

blulady commented Jun 10, 2022
edited
Loading

Progress: I have completed the first few check marks. I need to read: A page about dependabot and enabling alerts/updates and the
Blockers: As of right now, just need to read the instructions
Availability: 4 hours to work on it this weekend
ETA: Uncertain how many hours it will take
Pictures (optional): Currently no visual changes

@blulady blulady added the Status: Updated No blockers and update is ready for review label Jun 10, 2022
@blulady
Copy link
Member

blulady commented Jun 14, 2022
edited
Loading

Step 1: Enable Dependency Graph, Dependabot Alerts, Dependabot Security Updates

Screenshot (158)

Step 2: Make sure that I am seeing the alert in my repository

Screenshot (159)

and that I am able to review the security update
Screenshot (160)

Step 3: Review [package-lock.json file](https://github.com/hackforla/website/blob/gh-pages/github-actions/github-data/package-lock.json) where changes need to be made. This is a bit more challenging because Hack For LA’s package-lock.json file doesn’t look like my package-lock.json file:

Hack for LA's
Screenshot (162)

Mine
Screenshot (163)

Step 4: Review package-lock where changes need to be made

Screenshot (164)

Step 5: Research if this update has caused issues and/or unintended changes in repositories that were updated. Unclear as to what steps should be taken here. Google search?
Step 6: Address this PR in your own repository in order to test if the update causes any issues for the Hack for LA website.

Screenshot (165)

Screenshot (166)

Screenshot (167)

Screenshot (168)

Screenshot (169)

Screenshot (170)

Screenshot (171)

Screenshot (172)

Screenshot (173)

Screenshot (174)

Screenshot (175)

Step 7: Pending successful research and testing of the update, create a PR to merge the changes in node-fetch to gh-pages Will attend meeting tonight and ask about moving forward with a PR

@blulady blulady added the Status: Help Wanted Internal assistance is required to make progress label Jun 15, 2022
@github-actions github-actions bot removed the 2 weeks inactive An issue that has not been updated by an assignee for two weeks label Jun 17, 2022
@blulady blulady mentioned this issue Jun 20, 2022
Merged
@blulady blulady removed the Status: Help Wanted Internal assistance is required to make progress label Jun 20, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@blulady blulady

Labels
Complexity: Medium Feature: Board/GitHub Maintenance Project board maintenance that we have to do repeatedly role: back end/devOps Tasks for back-end developers size: 2pt Can be done in 7-12 hours Status: Updated No blockers and update is ready for review Status: Urgent Needs to be worked on immediately
Projects
P: HfLA Website: Project Board
Archived in project
Milestone
02. Security
Development

Successfully merging a pull request may close this issue.

Bump node-fetch from 2.6.1 to 2.6.7 to resolve a security vulnerability #3082
5 participants
@SAUMILDHANKAR @JessicaLucindaCheng @ExperimentsInHonesty @blulady @Sparky-code