Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update yarn.lock to fix vulnerable dependencies #2479

Closed
wants to merge 2 commits into from
Closed

Update yarn.lock to fix vulnerable dependencies #2479

wants to merge 2 commits into from

Conversation

poovamraj
Copy link

@poovamraj poovamraj commented Nov 7, 2023
edited by frederikprijck
Loading

Changes

We are updating all the dependencies that are marked as vulnerable. There is a seperate commit upgrading crypto-js to fix vulnerability CVE-2023-46233

References

https://nvd.nist.gov/vuln/detail/CVE-2023-46233

Testing

Ran unit tests. Checking with CI for integration test.

@poovamraj poovamraj requested a review from a team as a code owner November 7, 2023 16:33
@codecov Codecov
Copy link

codecov bot commented Nov 7, 2023

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (dec9d25) 41.74% compared to head (e5bc52c) 41.74%.

Additional details and impacted files 
@@           Coverage Diff           @@
##           master    #2479   +/-   ##
=======================================
  Coverage   41.74%   41.74%           
=======================================
  Files         120      120           
  Lines        3066     3066           
  Branches      332      332           
=======================================
  Hits         1280     1280           
  Misses       1694     1694           
  Partials       92       92

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@poovamraj poovamraj added this pull request to the merge queue Nov 7, 2023
@evansims evansims removed this pull request from the merge queue due to the queue being cleared Nov 7, 2023
frederikprijck
frederikprijck requested changes Nov 7, 2023
View reviewed changes
Copy link
Member

@frederikprijck frederikprijck left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a reason we are changing all the registries from yarn to npm?

@poovamraj
Copy link
Author

@frederikprijck I missed that one. I used https://www.npmjs.com/package/yarn-audit-fix and looks like it uses npm audit command which replaces the registry. We can remove the first commit and just go ahead with the 2nd commit if this is an issue. I wanted fix all vulnerabilities shown in yarn audit and that's why I went ahead with this.

@frederikprijck
Copy link
Member

It looks like yarn-audit-fix has a --registry flag. Would it work if you do --registry=https://registry.yarnpkg.com/ ?

@frederikprijck frederikprijck changed the title Update yarn.lock to fix vulnerable dependencies Update crypto-js Nov 13, 2023
@frederikprijck frederikprijck changed the title Update crypto-js Update yarn.lock to fix vulnerable dependencies Nov 13, 2023
@frederikprijck
Copy link
Member

frederikprijck commented Nov 13, 2023
edited
Loading

I am going to close this. Crypto-js is pulled in through auth0.js. I patched auth0js and will update auth0js in the repo: auth0/auth0.js#1363

I will also follow up with an audit fix like in this PR seperatly.

@frederikprijck frederikprijck mentioned this pull request Nov 13, 2023
Merged
frederikprijck added a commit that referenced this pull request Nov 13, 2023
@frederikprijck
Bump auth0-js to solve crypto-js vulnerability (#2492)
8255d2e 
### Changes
Upgrading auth0-js to solve a vulnerability with crypto-js
[CVE-2023-46233](https://nvd.nist.gov/vuln/detail/CVE-2023-46233)

### References
https://nvd.nist.gov/vuln/detail/CVE-2023-46233

#2479 

### Testing
Ran unit tests. Checking with CI for integration test.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@frederikprijck frederikprijck frederikprijck requested changes

@evansims evansims evansims approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@poovamraj @frederikprijck @evansims