Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dep: [email protected] #116

Closed
wants to merge 1 commit into from
Closed

dep: [email protected] #116

wants to merge 1 commit into from

Conversation

mattcollier
Copy link
Contributor

@mattcollier mattcollier commented Jun 20, 2017
edited
Loading

ms patched the following vulnerability in v2.0.0 https://snyk.io/vuln/npm:ms:20170412

debug updated its ms dependency in v2.6.7.

Supersedes #111

Tracking: credential-handler/authn.io#48 digitalbazaar/bedrock-express#5

@dotchev
Copy link

dotchev commented Jun 21, 2017

Our security scans encounter the same issue. Please, merge and release a new version.

@dougwilson
Copy link
Contributor

Looking at the advisory you linked, it looks like the issue only affects the ms(string) interface, but the debug module never calls ms(string), only ms(number), so it never invokes the bas parsing code. You may want to report the incorrect flagging of the dependency to the security scan program so they can update their rules.

dougwilson
dougwilson suggested changes Jun 24, 2017
View reviewed changes
Copy link
Contributor

@dougwilson dougwilson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please make the following adjustments so I can merge:

(1) Remove the ~
(2) Fix the commit message to mirror the other dependency update commits
(3) Update the History file to show the dependency update and explain in sub points what changes are introduced from the change between debug 2.6.1 and 2.6.8

Thanks!

@mattcollier
Copy link
Contributor Author

@dougwilson Ready for another pass.

dougwilson
dougwilson suggested changes Jun 24, 2017
View reviewed changes
Copy link
Contributor

@dougwilson dougwilson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, just a couple comments.

HISTORY.md Outdated
- Use same color for same namespace
- deps: ms@0.7.2
- deps: ms@2.0.0 to fix regular expression denial of service vulnerability
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We don't list changes in sub dependencies, and besides, since this only explains what our user's will see in the upgrade, they don't see a vulun fix since the vulun code was not being used. Just change to deps: [email protected].

HISTORY.md Outdated
- Fix error when running under React Native
- Fix Inline extend function in node implementation
- Fix null reference check on window.documentElement.style.WebkitAppearance
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will our users actually experience this change? Looks like it only applies to web browsers, which this module doesn't function in.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And it looks like that code is never executed under this module AFAIK.

HISTORY.md Outdated
- Fix error when running under React Native
- Fix Inline extend function in node implementation
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this a typo ... "Fix Inline [...]" ?

@dougwilson dougwilson self-assigned this Jun 24, 2017
@mattcollier
deps: [email protected]
38ec1ba 
`ms` patched the following vulnerability in v2.0.0 https://snyk.io/vuln/npm:ms:20170412

`debug` updated its `ms` dependency in v2.6.7.

Supersedes expressjs#111
@mattcollier
Copy link
Contributor Author

@dougwilson ready for another pass.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dougwilson dougwilson dougwilson approved these changes

Assignees

@dougwilson dougwilson

Labels
deps pr
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mattcollier @dotchev @dougwilson