Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump the y18n nodejs dependency to 4.0.1 to fix CVE-2020-7774 #2038

Closed
wants to merge 1 commit into from
Closed

Bump the y18n nodejs dependency to 4.0.1 to fix CVE-2020-7774 #2038

wants to merge 1 commit into from

Conversation

roberthbailey
Copy link
Member

Also added some minor updates to the nodejs example README.

What type of PR is this?

Uncomment only one /kind <> line, hit enter to put that in a new line, and remove leading whitespace from that line:

/kind breaking

/kind bug

/kind cleanup
/kind documentation
/kind feature
/kind hotfix

What this PR does / Why we need it: Address a security issue in the nodejs SDK.

Which issue(s) this PR fixes:

Closes #

Special notes for your reviewer:

@roberthbailey
Bump the y18n nodejs dependency to 4.0.1 to fix CVE-2020-7774.
585fccb 
Also added some minor updates to the nodejs example README.
@google-cla google-cla bot added the cla: yes label Mar 31, 2021
@google-oss-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: markmandel, roberthbailey

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@agones-bot
Copy link
Collaborator

Build Succeeded 👏

Build Id: d5927fd8-727c-418e-b042-8bb11e9c0def

The following development artifacts have been built, and will exist for the next 30 days:

A preview of the website (the last 30 builds are retained):

To install this version:

  • git fetch https://github.com/googleforgames/agones.git pull/2038/head:pr_2038 && git checkout pr_2038
  • helm install ./install/helm/agones --namespace agones-system --name agones --set agones.image.tag=1.14.0-585fccb

@markmandel
Copy link
Member

I assume we're waiting on the nod of approval from @steven-supersolid 😄

@roberthbailey
Copy link
Member Author

I assume we're waiting on the nod of approval from @steven-supersolid 😄

That would be ideal.

steven-supersolid
steven-supersolid suggested changes Apr 1, 2021
View reviewed changes
sdks/nodejs/package-lock.json
@@ -2159,7 +2159,7 @@
}
},
"y18n": {
"version": "4.0.0",
"version": "4.0.1",
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I ran npm audit fix and the lines below do not correspond to this version so this part of the config is inconsistent.
If you run the same command it will fix up the file.
Also the version of the sdk is inconsistent with package-lock.json so you'll see an update from 1.10.0-dev to 1.14.0-dev too in this file

@steven-supersolid steven-supersolid mentioned this pull request Apr 1, 2021
Merged
@roberthbailey
Copy link
Member Author

Superseded by #2040.

@roberthbailey roberthbailey deleted the nodejs-deps branch September 23, 2021 16:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@steven-supersolid steven-supersolid steven-supersolid requested changes

@markmandel markmandel markmandel approved these changes

@EricFortin EricFortin Awaiting requested review from EricFortin

Assignees

@markmandel markmandel

@steven-supersolid steven-supersolid

Labels
approved cla: yes size/S
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@roberthbailey @google-oss-robot @agones-bot @markmandel @steven-supersolid