Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update vulnerabilities dependencies #110

Merged
merged 4 commits into from
Oct 12, 2018
Merged

Update vulnerabilities dependencies #110

merged 4 commits into from
Oct 12, 2018

Conversation

yoshinorin
Copy link
Member

Problem

Current dependency has 6 vulnerabilities.
This problem reported from nom install后有异常 hexo/#3215.

Below is full report.

found 6 vulnerabilities (4 low, 1 high, 1 critical)
  run `npm audit fix` to fix them, or `npm audit` for details


  Low             Regular Expression Denial of Service

  Package         debug
  Dependency of   mocha [dev]
  Path            mocha > debug
  More info       https://nodesecurity.io/advisories/534

  High            Regular Expression Denial of Service

  Package         minimatch
  Dependency of   mocha [dev]
  Path            mocha > glob > minimatch
  More info       https://nodesecurity.io/advisories/118

  Critical        Command Injection

  Package         growl
  Dependency of   mocha [dev]
  Path            mocha > growl
  More info       https://nodesecurity.io/advisories/146

  Low             Prototype Pollution

  Package         lodash
  Patched in      >=4.17.5
  Dependency of   jscs [dev]
  Path            jscs > jscs-jsdoc > jsdoctypeparser > lodash
  More info       https://nodesecurity.io/advisories/577

  Low             Prototype Pollution
  Package         lodash
  Patched in      >=4.17.5
  Dependency of   jscs [dev]
  Path            jscs > lodash
  More info       https://nodesecurity.io/advisories/577

  Low             Prototype Pollution
  Package         lodash
  Patched in      >=4.17.5
  Dependency of   jscs [dev]
  Path            jscs > xmlbuilder > lodash
  More info       https://nodesecurity.io/advisories/577

found 6 vulnerabilities (4 low, 1 high, 1 critical) in 1937 scanned packages
  3 vulnerabilities require semver-major dependency updates.
  3 vulnerabilities require manual review. See the full report for details.

Fix

1. Update dependencies

Update dependencies package which contain vulnerabilities. Delete jscs. Current jscs has vulnerabilities and it can delete if versionup eslint.

2. Fix eslint style errors

After update eslint, code has some style error.
Fix eslint style and disable no-useless-escape of eslint rule on repository regular expression line.
About the latter a default eslint setting display no-useless-escape error, but the regular expression it seems correct. So, I ignore the line.

@yoshinorin yoshinorin requested a review from a team October 12, 2018 11:58
@coveralls
Copy link

Coverage Status

Coverage remained the same at 90.0% when pulling de9fadb on YoshinoriN:update-vulnerabilities-dependencies into 4a2e283 on hexojs:master.

segayuu
segayuu approved these changes Oct 12, 2018
View reviewed changes
Copy link
Contributor

@segayuu segayuu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@segayuu segayuu merged commit e6414bb into hexojs:master Oct 12, 2018
@yoshinorin yoshinorin deleted the update-vulnerabilities-dependencies branch October 12, 2018 12:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@segayuu segayuu segayuu approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@yoshinorin @coveralls @segayuu