Skip to content

Commit

Permalink
Workaround an existing security vulnerability in terminal-image
Browse files Browse the repository at this point in the history
`terminal-image` indirectly depends on `plist 2.0.1` which is vulnerable
to a DOS attack.
We force the use of a more recent version to fix the issue. There is no
incompatibility risk as the breaking change for this library is the drop
of node 4 support.

We also opened directly a bug so that the dependency is updated in the
library that uses this version: sindresorhus/term-img#6
  • Loading branch information
yannrouillard committed Nov 28, 2018
1 parent 3adb3b9 commit b75b035
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 17 deletions.
3 changes: 2 additions & 1 deletion package.json
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,8 @@
},
"resolutions": {
"instagram-private-api/tough-cookie-filestore/tough-cookie": "^2.3.3",
"instagram-private-api/request-promise": "^4.2.2"
"instagram-private-api/request-promise": "^4.2.2",
"terminal-image/term-img/iterm2-version/plist": "^3.0.1"
},
"devDependencies": {
"eslint": "^5.7.0",
Expand Down
27 changes: 11 additions & 16 deletions yarn.lock
Original file line number Diff line number Diff line change
Expand Up @@ -480,10 +480,10 @@ [email protected]:
resolved "https://registry.yarnpkg.com/base64-js/-/base64-js-0.0.8.tgz#1101e9544f4a76b1bc3b26d452ca96d7a35e7978"
integrity sha1-EQHpVE9KdrG8OybUUsqW16NeeXg=

[email protected].0:
version "1.2.0"
resolved "https://registry.yarnpkg.com/base64-js/-/base64-js-1.2.0.tgz#a39992d723584811982be5e290bb6a53d86700f1"
integrity sha1-o5mS1yNYSBGYK+XikLtqU9hnAPE=
base64-js@^1.2.3:
version "1.3.0"
resolved "https://registry.yarnpkg.com/base64-js/-/base64-js-1.3.0.tgz#cab1e6118f051095e58b5281aea8c1cd22bfc0e3"
integrity sha512-ccav/yGvoa80BQDljCxsmmQ3Xvx60/UpBIij5QN21W3wBi/hhIC9OoO+KLpu9IJTS9j4DRVJ3aDDF9cMSoa2lw==

base@^0.11.1:
version "0.11.2"
Expand Down Expand Up @@ -4177,13 +4177,13 @@ pkg-dir@^2.0.0:
dependencies:
find-up "^2.1.0"

plist@^2.0.1:
version "2.1.0"
resolved "https://registry.yarnpkg.com/plist/-/plist-2.1.0.tgz#57ccdb7a0821df21831217a3cad54e3e146a1025"
integrity sha1-V8zbeggh3yGDEhejytVOPhRqECU=
plist@^2.0.1, plist@^3.0.1:
version "3.0.1"
resolved "https://registry.yarnpkg.com/plist/-/plist-3.0.1.tgz#a9b931d17c304e8912ef0ba3bdd6182baf2e1f8c"
integrity sha512-GpgvHHocGRyQm74b6FWEZZVRroHKE1I0/BTjAmySaohK+cUn+hZpbqXkc3KWgW3gQYkqcQej35FohcT0FRlkRQ==
dependencies:
base64-js "1.2.0"
xmlbuilder "8.2.2"
base64-js "^1.2.3"
xmlbuilder "^9.0.7"
xmldom "0.1.x"

pluralize@^7.0.0:
Expand Down Expand Up @@ -5550,12 +5550,7 @@ xml2js@^0.4.5:
sax ">=0.6.0"
xmlbuilder "~9.0.1"

[email protected]:
version "8.2.2"
resolved "https://registry.yarnpkg.com/xmlbuilder/-/xmlbuilder-8.2.2.tgz#69248673410b4ba42e1a6136551d2922335aa773"
integrity sha1-aSSGc0ELS6QuGmE2VR0pIjNap3M=

xmlbuilder@~9.0.1:
xmlbuilder@^9.0.7, xmlbuilder@~9.0.1:
version "9.0.7"
resolved "https://registry.yarnpkg.com/xmlbuilder/-/xmlbuilder-9.0.7.tgz#132ee63d2ec5565c557e20f4c22df9aca686b10d"
integrity sha1-Ey7mPS7FVlxVfiD0wi35rKaGsQ0=
Expand Down

0 comments on commit b75b035

Please sign in to comment.