Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

normalize-url security vuln - update package-json to v6 #673

Closed
ntucker opened this issue Jun 9, 2021 · 3 comments
Closed

normalize-url security vuln - update package-json to v6 #673

ntucker opened this issue Jun 9, 2021 · 3 comments

Comments

@ntucker
Copy link

ntucker commented Jun 9, 2021
edited
Loading

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ normalize-url │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.5.1 <5.0.0 || >=5.3.1 <6.0.0 || >=6.0.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ yo │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ yo > package-json > got > cacheable-request > │
│ │ normalize-url │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/1755
└───────────────┴──────────────────────────────────────────────────────────────┘

https://github.com/sindresorhus/package-json/releases/tag/v6.0.0 - should be pretty easy given the only breaking change is node 8 req which is already true for yo
@ntucker ntucker changed the title normalize-url security vuln normalize-url security vuln - update package-json to v6 Jun 9, 2021
@Logicer16
Copy link
Contributor

Logicer16 commented Jun 9, 2021
edited
Loading

Currently waiting on a new release of got. See sindresorhus/got#1466

Just noticed got@9.6.0 uses the patched version of normalize-url. I'll open a pr.

@Logicer16 Logicer16 mentioned this issue Jun 12, 2021
Merged
@Logicer16
Copy link
Contributor

I think it's been fixed upstream

@JoshuaKGoldberg
Copy link

For future reference: https://www.joshuakgoldberg.com/blog/please-stop-sending-me-nested-dependency-security-reports

@JoshuaKGoldberg JoshuaKGoldberg closed this as not planned Won't fix, can't repro, duplicate, stale Jan 23, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ntucker @JoshuaKGoldberg @Logicer16