Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security vulnerability (High Severity) in js-yaml dependency #600

Closed
lukewlms opened this issue Apr 10, 2019 · 5 comments
Closed

Security vulnerability (High Severity) in js-yaml dependency #600

lukewlms opened this issue Apr 10, 2019 · 5 comments

Comments

@lukewlms
Copy link

Description

js-yaml needs to be updated to >= 3.13.0. The current version has a mod-severity security vulnerability.

image

Steps to reproduce

  • Install latest
  • Run npm audit / yarn audit

Debug Logs

expand to view
Not applicable

Environment

  • OS: This applies in all environments
  • Node.js: 1
  • lint-staged: Latest: 8.1.5
@mattxwang
Copy link
Contributor

mattxwang commented May 13, 2019

As an update, npm audit now yields a high severity error (code injection) on the same dependency. For reference, this is on node version 10.15.3, but should be irrespective of node version. However, I just updated the dependency (husky also depended on it, and updated it) and it all worked out.

Terminal Screenshot

@okonet
Copy link
Collaborator

okonet commented May 14, 2019

Please go ahead and submit a PR!

@lukewlms lukewlms changed the title Security vulnerability (moderate) in js-yaml dependency Security vulnerability (High Severity) in js-yaml dependency May 14, 2019
@mattxwang
Copy link
Contributor

I looked into the issue on the side of cosmiconfig, and found this issue - in sum, short-term we just need to update the package-lock.json or yarn.lock, and long-term they are considering moving away from js-yaml as it has a history of security vulnerabilities.

I'm not familiar with the internals of lint-staged - would it be alright if we just bumped the version of cosmiconfig? What code relies on it? I don't mind submitting a PR to fix this up.

@okonet
Copy link
Collaborator

okonet commented May 14, 2019

Yes, I believe it should be enough.

@okonet
Copy link
Collaborator

okonet commented May 15, 2019

🎉 This issue has been resolved in version 8.1.7 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

No branches or pull requests

3 participants