Skip to content
This repository has been archived by the owner on May 10, 2024. It is now read-only.

upgrade vulnerable package #112

Closed
wants to merge 3 commits into from
Closed

upgrade vulnerable package #112

wants to merge 3 commits into from

Conversation

pickworth
Copy link

No description provided.

@pickworth
Copy link
Author

fixes #111

@coveralls
Copy link

coveralls commented Sep 1, 2016
edited
Loading

Coverage Status

Coverage remained the same at 93.611% when pulling 57eaca8 on nmors:bugfux-vuln into 1272f87 on mulesoft:master.

@pickworth
Copy link
Author

pickworth commented Sep 1, 2016
edited
Loading

I also updated to package version for negotiator in node-request-error-handler
0.6.0 -> 0.6.1 ( see: mulesoft-labs/node-request-error-handler#3 , reason: https://nodesecurity.io/advisories/106 )

mulesoft-labs/node-request-error-handler#3 will need merged and updated in NPM BEFORE this is merged, as request-error-handler will be bumped to 1.0.3 (travis test should then pass)

@pickworth pickworth mentioned this pull request Sep 1, 2016
Closed
@sichvoge
Copy link
Contributor

sichvoge commented Sep 1, 2016

@nmors travis is failing, can you have a look please.

@pickworth
Copy link
Author

pickworth commented Sep 2, 2016
edited
Loading

@sichvoge as I mentioned (when I updated my previous comment), travis will fail until mulesoft-labs/node-request-error-handler#3 is merged first, as the downstream bumped version will not resolve

@sichvoge
Copy link
Contributor

sichvoge commented Sep 2, 2016

I have let the team know about that, and we will resolve the issue as soon as possible.

@tbruno
Copy link

tbruno commented Sep 2, 2016

We are making use of Caret ranges (https://docs.npmjs.com/misc/semver#caret-ranges-123-025-004)

Allows changes that do not modify the left-most non-zero digit in the [major, minor, patch] tuple. In other words, this allows patch and minor updates for versions 1.0.0 and above, patch updates for versions 0.X >=0.1.0, and no updates for versions 0.0.X.

So by having "request-error-handler": "^1.0.0" in Osprey's package.json and "negotiator": "^0.6.0" in request-error-handler's package.json, we are indeed telling NPM to install the latest minor and patch in 1.x.x for "request-error-handler" and the latest patch in 0.6.x for "negotiator".

@danielwpz
Copy link
Contributor

Please merge this and #157
For security issues, we shall NEVER allow a potentially vulnerable dependency to be used. We need to be specific that any version that's affected shall be avoided.

@jstoiko
Copy link
Contributor

jstoiko commented Feb 23, 2018
edited
Loading

@danielwpz: this PR is outdated and doesn't make a difference as @tbruno pointed-out above. Closing.

@jstoiko jstoiko closed this Feb 23, 2018
@danielwpz
Copy link
Contributor

danielwpz commented Feb 23, 2018
edited
Loading

@tbruno @jstoiko caret can be potentially vulnerable to us:
considering the following package.json

  "dependencies": {
    "osprey": "^0.4.1",
    "raml-1-parser": "1.1.39"
  }

In that case osprey won't be using the latest raml-1-parser.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@pickworth @coveralls @sichvoge @tbruno @danielwpz @jstoiko