Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security issue in ansi-regex dependency (via yargs) #866

Closed
jlaine opened this issue Oct 7, 2021 · 8 comments
Closed

Security issue in ansi-regex dependency (via yargs) #866

jlaine opened this issue Oct 7, 2021 · 8 comments

Comments

@jlaine
Copy link

jlaine commented Oct 7, 2021

Currently it is impossible to install showdown without pulling in a security vulnerability, because showdown has a tightly versioned dependency on yargs which pulls in a vulnerable ansi-regex.

The security advisory is:

GHSA-93q8-gq69-wqmw
This was linked to pull requests Nov 8, 2021
Update yargs and jsom to fix vulnerabilities. (#866) #867
Closed
Update yargs to the latest version 🚀 #752
Closed
@SyntaxRules
Copy link
Member

@jlaine I updated yargs on the master branch. Eventually there will be a 2.0.0 release with this fix.

@code-by-gijs
Copy link

@SyntaxRules Can this be updated to a new version of the showdown package as well?

@SyntaxRules
Copy link
Member

@code-by-gijs For sure, I'm trying to work through as much of the backlog I can before releasing- as you can tell there are quite a few issues. It may take a bit before I can get the release out.

@code-by-gijs
Copy link

@SyntaxRules awesome, thanks!

@wbt
Copy link

wbt commented Jan 7, 2022

With some ambitious plans, it looks like the 2.0.0 release could be quite a ways away. Might we be able to just apply the above commits on the last release tag and publish a patch update that handles the vulnerabilities / audit failures before then?

@wbt
Copy link

wbt commented Jan 7, 2022

I should also mention that's something I'm willing to do if you want to have me on with the right permissions. I'm also a maintainer on the much more widely used Winston logger for similar reasons.

@wbt
Copy link

wbt commented Jan 7, 2022
edited
Loading

Even without permissions, I can offer this quickest path route:
This is the commit which fixes the issue, but it's quite a ways ahead of the last release, so I can understand reluctance to do a release from that.
However, the version_1.x branch is only one tiny commit ahead of the release, and a brief inspection demonstrates that's not going to break anything important.
The simplest PR would likely be to update the yargs line on the version_1.x branch, run npm i to update package-lock, and do a patch-level release from that.

This was referenced Jan 10, 2022
Closed
Closed
Closed
@wbt
Copy link

wbt commented Jan 10, 2022

I've added a PR which should fix this. It drops support for node v6 and v8, so technically it should probably go out as 2.0.0, with the next big breaking release now being planned going out in n months as 3.0.0.
This commit bumps the version number and adds changelog notes you can copy (the source of) that and paste it right into the release notes.

Merge, release on Github, publish to npm, and this issue is solved. Thanks for your work!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
4 participants
@wbt @jlaine @code-by-gijs @SyntaxRules