-
Notifications
You must be signed in to change notification settings - Fork 15.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
path-to-regexp@0.1.10 #5902
path-to-regexp@0.1.10 #5902
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we just get an unreleased
section on the history file?
path-to-regexp <0.1.10 2 high severity vulnerabilities |
Looking at Snyk https://security.snyk.io/package/npm/path-to-regexp everything bellow version 8 is vulnerable... are there plans to upgrade to latest version? |
@omerlh snyk is wrong. The original advisory is here: GHSA-9wv6-86v2-598j |
## [0.8.1](https://github.com/equinor/webviz-subsurface-components/compare/wsc-common@0.8.0...wsc-common@0.8.1) (2024-09-11) ### Bug Fixes * bump body-parser and express in /typescript ([#2238](#2238)) ([0eca39e](0eca39e)), closes [expressjs/body-parser#522](expressjs/body-parser#522) [expressjs/body-parser#523](expressjs/body-parser#523) [expressjs/body-parser#527](expressjs/body-parser#527) [expressjs/body-parser#521](expressjs/body-parser#521) [expressjs/body-parser#531](expressjs/body-parser#531) [expressjs/body-parser#534](expressjs/body-parser#534) [expressjs/body-parser#535](expressjs/body-parser#535) [expressjs/body-parser#522](expressjs/body-parser#522) [expressjs/body-parser#521](expressjs/body-parser#521) [expressjs/body-parser#531](expressjs/body-parser#531) [expressjs/body-parser#534](expressjs/body-parser#534) [#534](#534) [#531](#531) [#521](#521) [#523](#523) [#522](#522) [expressjs/express#5561](expressjs/express#5561) [expressjs/express#5562](expressjs/express#5562) [expressjs/express#5565](expressjs/express#5565) [expressjs/express#5564](expressjs/express#5564) [expressjs/express#5526](expressjs/express#5526) [expressjs/express#5579](expressjs/express#5579) [expressjs/express#5587](expressjs/express#5587) [expressjs/express#5590](expressjs/express#5590) [expressjs/express#5600](expressjs/express#5600) [expressjs/express#5433](expressjs/express#5433) [expressjs/express#5605](expressjs/express#5605) [expressjs/express#5569](expressjs/express#5569) [expressjs/express#5628](expressjs/express#5628) [expressjs/express#5639](expressjs/express#5639) [expressjs/express#5627](expressjs/express#5627) [expressjs/express#5619](expressjs/express#5619) [expressjs/express#5653](expressjs/express#5653) [expressjs/express#5666](expressjs/express#5666) [expressjs/express#5690](expressjs/express#5690) [expressjs/express#5672](expressjs/express#5672) [expressjs/express#5695](expressjs/express#5695) [expressjs/express#5683](expressjs/express#5683) [expressjs/express#5722](expressjs/express#5722) [expressjs/express#5762](expressjs/express#5762) [expressjs/express#5599](expressjs/express#5599) [expressjs/express#5436](expressjs/express#5436) [expressjs/express#5814](expressjs/express#5814) [expressjs/express#5836](expressjs/express#5836) [expressjs/express#5603](expressjs/express#5603) [expressjs/express#5835](expressjs/express#5835) [expressjs/express#5781](expressjs/express#5781) [expressjs/express#5902](expressjs/express#5902) [expressjs/express#5565](expressjs/express#5565) [expressjs/express#5590](expressjs/express#5590) [expressjs/express#5627](expressjs/express#5627) [expressjs/express#5690](expressjs/express#5690) [expressjs/express#5814](expressjs/express#5814) [#5928](https://github.com/equinor/webviz-subsurface-components/issues/5928) [#5926](https://github.com/equinor/webviz-subsurface-components/issues/5926) [#5902](https://github.com/equinor/webviz-subsurface-components/issues/5902) [#5781](https://github.com/equinor/webviz-subsurface-components/issues/5781) [#5603](https://github.com/equinor/webviz-subsurface-components/issues/5603) [#5836](https://github.com/equinor/webviz-subsurface-components/issues/5836)
## [1.4.1](https://github.com/equinor/webviz-subsurface-components/compare/well-completions-plot@1.4.0...well-completions-plot@1.4.1) (2024-09-11) ### Bug Fixes * bump body-parser and express in /typescript ([#2238](#2238)) ([0eca39e](0eca39e)), closes [expressjs/body-parser#522](expressjs/body-parser#522) [expressjs/body-parser#523](expressjs/body-parser#523) [expressjs/body-parser#527](expressjs/body-parser#527) [expressjs/body-parser#521](expressjs/body-parser#521) [expressjs/body-parser#531](expressjs/body-parser#531) [expressjs/body-parser#534](expressjs/body-parser#534) [expressjs/body-parser#535](expressjs/body-parser#535) [expressjs/body-parser#522](expressjs/body-parser#522) [expressjs/body-parser#521](expressjs/body-parser#521) [expressjs/body-parser#531](expressjs/body-parser#531) [expressjs/body-parser#534](expressjs/body-parser#534) [#534](#534) [#531](#531) [#521](#521) [#523](#523) [#522](#522) [expressjs/express#5561](expressjs/express#5561) [expressjs/express#5562](expressjs/express#5562) [expressjs/express#5565](expressjs/express#5565) [expressjs/express#5564](expressjs/express#5564) [expressjs/express#5526](expressjs/express#5526) [expressjs/express#5579](expressjs/express#5579) [expressjs/express#5587](expressjs/express#5587) [expressjs/express#5590](expressjs/express#5590) [expressjs/express#5600](expressjs/express#5600) [expressjs/express#5433](expressjs/express#5433) [expressjs/express#5605](expressjs/express#5605) [expressjs/express#5569](expressjs/express#5569) [expressjs/express#5628](expressjs/express#5628) [expressjs/express#5639](expressjs/express#5639) [expressjs/express#5627](expressjs/express#5627) [expressjs/express#5619](expressjs/express#5619) [expressjs/express#5653](expressjs/express#5653) [expressjs/express#5666](expressjs/express#5666) [expressjs/express#5690](expressjs/express#5690) [expressjs/express#5672](expressjs/express#5672) [expressjs/express#5695](expressjs/express#5695) [expressjs/express#5683](expressjs/express#5683) [expressjs/express#5722](expressjs/express#5722) [expressjs/express#5762](expressjs/express#5762) [expressjs/express#5599](expressjs/express#5599) [expressjs/express#5436](expressjs/express#5436) [expressjs/express#5814](expressjs/express#5814) [expressjs/express#5836](expressjs/express#5836) [expressjs/express#5603](expressjs/express#5603) [expressjs/express#5835](expressjs/express#5835) [expressjs/express#5781](expressjs/express#5781) [expressjs/express#5902](expressjs/express#5902) [expressjs/express#5565](expressjs/express#5565) [expressjs/express#5590](expressjs/express#5590) [expressjs/express#5627](expressjs/express#5627) [expressjs/express#5690](expressjs/express#5690) [expressjs/express#5814](expressjs/express#5814) [#5928](https://github.com/equinor/webviz-subsurface-components/issues/5928) [#5926](https://github.com/equinor/webviz-subsurface-components/issues/5926) [#5902](https://github.com/equinor/webviz-subsurface-components/issues/5902) [#5781](https://github.com/equinor/webviz-subsurface-components/issues/5781) [#5603](https://github.com/equinor/webviz-subsurface-components/issues/5603) [#5836](https://github.com/equinor/webviz-subsurface-components/issues/5836)
## [0.30.4](https://github.com/equinor/webviz-subsurface-components/compare/subsurface-viewer@0.30.3...subsurface-viewer@0.30.4) (2024-09-11) ### Bug Fixes * bump body-parser and express in /typescript ([#2238](#2238)) ([0eca39e](0eca39e)), closes [expressjs/body-parser#522](expressjs/body-parser#522) [expressjs/body-parser#523](expressjs/body-parser#523) [expressjs/body-parser#527](expressjs/body-parser#527) [expressjs/body-parser#521](expressjs/body-parser#521) [expressjs/body-parser#531](expressjs/body-parser#531) [expressjs/body-parser#534](expressjs/body-parser#534) [expressjs/body-parser#535](expressjs/body-parser#535) [expressjs/body-parser#522](expressjs/body-parser#522) [expressjs/body-parser#521](expressjs/body-parser#521) [expressjs/body-parser#531](expressjs/body-parser#531) [expressjs/body-parser#534](expressjs/body-parser#534) [#534](#534) [#531](#531) [#521](#521) [#523](#523) [#522](#522) [expressjs/express#5561](expressjs/express#5561) [expressjs/express#5562](expressjs/express#5562) [expressjs/express#5565](expressjs/express#5565) [expressjs/express#5564](expressjs/express#5564) [expressjs/express#5526](expressjs/express#5526) [expressjs/express#5579](expressjs/express#5579) [expressjs/express#5587](expressjs/express#5587) [expressjs/express#5590](expressjs/express#5590) [expressjs/express#5600](expressjs/express#5600) [expressjs/express#5433](expressjs/express#5433) [expressjs/express#5605](expressjs/express#5605) [expressjs/express#5569](expressjs/express#5569) [expressjs/express#5628](expressjs/express#5628) [expressjs/express#5639](expressjs/express#5639) [expressjs/express#5627](expressjs/express#5627) [expressjs/express#5619](expressjs/express#5619) [expressjs/express#5653](expressjs/express#5653) [expressjs/express#5666](expressjs/express#5666) [expressjs/express#5690](expressjs/express#5690) [expressjs/express#5672](expressjs/express#5672) [expressjs/express#5695](expressjs/express#5695) [expressjs/express#5683](expressjs/express#5683) [expressjs/express#5722](expressjs/express#5722) [expressjs/express#5762](expressjs/express#5762) [expressjs/express#5599](expressjs/express#5599) [expressjs/express#5436](expressjs/express#5436) [expressjs/express#5814](expressjs/express#5814) [expressjs/express#5836](expressjs/express#5836) [expressjs/express#5603](expressjs/express#5603) [expressjs/express#5835](expressjs/express#5835) [expressjs/express#5781](expressjs/express#5781) [expressjs/express#5902](expressjs/express#5902) [expressjs/express#5565](expressjs/express#5565) [expressjs/express#5590](expressjs/express#5590) [expressjs/express#5627](expressjs/express#5627) [expressjs/express#5690](expressjs/express#5690) [expressjs/express#5814](expressjs/express#5814) [#5928](https://github.com/equinor/webviz-subsurface-components/issues/5928) [#5926](https://github.com/equinor/webviz-subsurface-components/issues/5926) [#5902](https://github.com/equinor/webviz-subsurface-components/issues/5902) [#5781](https://github.com/equinor/webviz-subsurface-components/issues/5781) [#5603](https://github.com/equinor/webviz-subsurface-components/issues/5603) [#5836](https://github.com/equinor/webviz-subsurface-components/issues/5836)
## [1.3.1](https://github.com/equinor/webviz-subsurface-components/compare/group-tree-plot@1.3.0...group-tree-plot@1.3.1) (2024-09-11) ### Bug Fixes * bump body-parser and express in /typescript ([#2238](#2238)) ([0eca39e](0eca39e)), closes [expressjs/body-parser#522](expressjs/body-parser#522) [expressjs/body-parser#523](expressjs/body-parser#523) [expressjs/body-parser#527](expressjs/body-parser#527) [expressjs/body-parser#521](expressjs/body-parser#521) [expressjs/body-parser#531](expressjs/body-parser#531) [expressjs/body-parser#534](expressjs/body-parser#534) [expressjs/body-parser#535](expressjs/body-parser#535) [expressjs/body-parser#522](expressjs/body-parser#522) [expressjs/body-parser#521](expressjs/body-parser#521) [expressjs/body-parser#531](expressjs/body-parser#531) [expressjs/body-parser#534](expressjs/body-parser#534) [#534](#534) [#531](#531) [#521](#521) [#523](#523) [#522](#522) [expressjs/express#5561](expressjs/express#5561) [expressjs/express#5562](expressjs/express#5562) [expressjs/express#5565](expressjs/express#5565) [expressjs/express#5564](expressjs/express#5564) [expressjs/express#5526](expressjs/express#5526) [expressjs/express#5579](expressjs/express#5579) [expressjs/express#5587](expressjs/express#5587) [expressjs/express#5590](expressjs/express#5590) [expressjs/express#5600](expressjs/express#5600) [expressjs/express#5433](expressjs/express#5433) [expressjs/express#5605](expressjs/express#5605) [expressjs/express#5569](expressjs/express#5569) [expressjs/express#5628](expressjs/express#5628) [expressjs/express#5639](expressjs/express#5639) [expressjs/express#5627](expressjs/express#5627) [expressjs/express#5619](expressjs/express#5619) [expressjs/express#5653](expressjs/express#5653) [expressjs/express#5666](expressjs/express#5666) [expressjs/express#5690](expressjs/express#5690) [expressjs/express#5672](expressjs/express#5672) [expressjs/express#5695](expressjs/express#5695) [expressjs/express#5683](expressjs/express#5683) [expressjs/express#5722](expressjs/express#5722) [expressjs/express#5762](expressjs/express#5762) [expressjs/express#5599](expressjs/express#5599) [expressjs/express#5436](expressjs/express#5436) [expressjs/express#5814](expressjs/express#5814) [expressjs/express#5836](expressjs/express#5836) [expressjs/express#5603](expressjs/express#5603) [expressjs/express#5835](expressjs/express#5835) [expressjs/express#5781](expressjs/express#5781) [expressjs/express#5902](expressjs/express#5902) [expressjs/express#5565](expressjs/express#5565) [expressjs/express#5590](expressjs/express#5590) [expressjs/express#5627](expressjs/express#5627) [expressjs/express#5690](expressjs/express#5690) [expressjs/express#5814](expressjs/express#5814) [#5928](https://github.com/equinor/webviz-subsurface-components/issues/5928) [#5926](https://github.com/equinor/webviz-subsurface-components/issues/5926) [#5902](https://github.com/equinor/webviz-subsurface-components/issues/5902) [#5781](https://github.com/equinor/webviz-subsurface-components/issues/5781) [#5603](https://github.com/equinor/webviz-subsurface-components/issues/5603) [#5836](https://github.com/equinor/webviz-subsurface-components/issues/5836)
## [1.13.2](https://github.com/equinor/webviz-subsurface-components/compare/well-log-viewer@1.13.1...well-log-viewer@1.13.2) (2024-09-11) ### Bug Fixes * bump body-parser and express in /typescript ([#2238](#2238)) ([0eca39e](0eca39e)), closes [expressjs/body-parser#522](expressjs/body-parser#522) [expressjs/body-parser#523](expressjs/body-parser#523) [expressjs/body-parser#527](expressjs/body-parser#527) [expressjs/body-parser#521](expressjs/body-parser#521) [expressjs/body-parser#531](expressjs/body-parser#531) [expressjs/body-parser#534](expressjs/body-parser#534) [expressjs/body-parser#535](expressjs/body-parser#535) [expressjs/body-parser#522](expressjs/body-parser#522) [expressjs/body-parser#521](expressjs/body-parser#521) [expressjs/body-parser#531](expressjs/body-parser#531) [expressjs/body-parser#534](expressjs/body-parser#534) [#534](#534) [#531](#531) [#521](#521) [#523](#523) [#522](#522) [expressjs/express#5561](expressjs/express#5561) [expressjs/express#5562](expressjs/express#5562) [expressjs/express#5565](expressjs/express#5565) [expressjs/express#5564](expressjs/express#5564) [expressjs/express#5526](expressjs/express#5526) [expressjs/express#5579](expressjs/express#5579) [expressjs/express#5587](expressjs/express#5587) [expressjs/express#5590](expressjs/express#5590) [expressjs/express#5600](expressjs/express#5600) [expressjs/express#5433](expressjs/express#5433) [expressjs/express#5605](expressjs/express#5605) [expressjs/express#5569](expressjs/express#5569) [expressjs/express#5628](expressjs/express#5628) [expressjs/express#5639](expressjs/express#5639) [expressjs/express#5627](expressjs/express#5627) [expressjs/express#5619](expressjs/express#5619) [expressjs/express#5653](expressjs/express#5653) [expressjs/express#5666](expressjs/express#5666) [expressjs/express#5690](expressjs/express#5690) [expressjs/express#5672](expressjs/express#5672) [expressjs/express#5695](expressjs/express#5695) [expressjs/express#5683](expressjs/express#5683) [expressjs/express#5722](expressjs/express#5722) [expressjs/express#5762](expressjs/express#5762) [expressjs/express#5599](expressjs/express#5599) [expressjs/express#5436](expressjs/express#5436) [expressjs/express#5814](expressjs/express#5814) [expressjs/express#5836](expressjs/express#5836) [expressjs/express#5603](expressjs/express#5603) [expressjs/express#5835](expressjs/express#5835) [expressjs/express#5781](expressjs/express#5781) [expressjs/express#5902](expressjs/express#5902) [expressjs/express#5565](expressjs/express#5565) [expressjs/express#5590](expressjs/express#5590) [expressjs/express#5627](expressjs/express#5627) [expressjs/express#5690](expressjs/express#5690) [expressjs/express#5814](expressjs/express#5814) [#5928](https://github.com/equinor/webviz-subsurface-components/issues/5928) [#5926](https://github.com/equinor/webviz-subsurface-components/issues/5926) [#5902](https://github.com/equinor/webviz-subsurface-components/issues/5902) [#5781](https://github.com/equinor/webviz-subsurface-components/issues/5781) [#5603](https://github.com/equinor/webviz-subsurface-components/issues/5603) [#5836](https://github.com/equinor/webviz-subsurface-components/issues/5836)
@corneliusroemer the Snyk team updated the security advisory with the following note that adds context:
Is this helpful, or is there anything else you consider important to add? |
I reported the error to them some 10 hours ago 😀 they fixed it afterwards it seems 🙈 Oh you're at snyk, great! I don't know much about this vuln, I just reported wrong snyk info to snyk :) I missed the full comment, here it is as a quote with line breaks:
|
@lirantal |
@ctcpip I don't completely disagree. There's a subtlety and nuances matter. A related analogy might be @blakeembrey Regardless, on the approach and CVE or not, it is probably a good practice to put a security disclaimer in the README if you feel there are some "gotchas" or security related insights you want to let consumers know about. |
This is what we are saying. We do not consider a user writing an unsafe regular expression in their application code and passing it into If we do this, would Snyk be willing to change their versions to match the ones we list in the CVE? |
I've shared the context of the thread here with the Snyk analysts team so it's for them to triage and follow-up. p.s. Wes, while the thread here is on expressjs/express, the actual package in question is path-to-regexp which is maintained by Blake, or are you part of that project too? asking as it would help the Snyk team to figure out how/who to include in a discussion for this if this is brought up. |
The Express project has governance over the packages in three GH orgs: expressjs, pillarjs, & jshttp. So yes, @blakeembrey is the author, Project Captain, and primary owner of I will leave it up to @blakeembrey for how we would like to proceed, but from my side I would be happy if we included at least a few folks like @ctcpip & @UlisesGascon (and myself if I would add value) who have been helping drive our security initiatives. |
Ok, that's excellent. I've shared the thread with the team so when/how they follow-up they get the info. Appreciate the context Wes ❤️ |
Use latest release.