Skip to content

Upgrading upstream dep to avoid vulnerability #32

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
JJ wants to merge 4 commits into from
Closed

Upgrading upstream dep to avoid vulnerability #32

JJ wants to merge 4 commits into from

Conversation

@JJ
Copy link

@JJ JJ commented Nov 15, 2021
edited
Loading

Prototype polution: https://security.snyk.io/vuln/SNYK-JS-JSONSCHEMA-1920922
Incorporates #27 since it's got a better representation for the remaining deps.

Thus closes #27 when merged.

@JJ JJ mentioned this pull request Nov 15, 2021
Closed
BruceHaley
BruceHaley approved these changes Nov 16, 2021
View reviewed changes
Copy link

@BruceHaley BruceHaley left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is great! Our Bot Framework samples have a nested dependency on prim. Looking forward to upgrading to the prim version that carries this json-schema v 0.4.0 dependency, thereby fixing the vulnerability. Any ETA on when the patch will be available?

This was referenced Nov 16, 2021
Closed
Closed
@JJ
Copy link
Author

JJ commented Nov 16, 2021

@bahamat any feedback on this?

Morl99
Morl99 reviewed Nov 16, 2021
View reviewed changes
package.json
Comment on lines +11 to +14
"assert-plus": "^1.0.0",
"extsprintf": "^1.3.0",
"json-schema": "^0.4.0",
"verror": "^1.10.0"
Copy link

@Morl99 Morl99 Nov 16, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why are you adding carets? If you think this is a good idea, you should separate this into a different PR, otherwise you risk that this PR will get lost in discussion due to that unexpected change. Or was that merely by mistake?

Copy link
Author

@JJ JJ Nov 17, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Got it from the previous PR.

This was referenced Nov 16, 2021
Closed
Merged
@bahamat
Copy link
Contributor

bahamat commented Nov 17, 2021

Fixed in 017f744

@bahamat bahamat closed this Nov 17, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

3 more reviewers

@Morl99 Morl99 Morl99 left review comments

@jschirrmacher jschirrmacher jschirrmacher approved these changes

@BruceHaley BruceHaley BruceHaley approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

json-schema dependency

5 participants

@JJ @bahamat @Morl99 @jschirrmacher @BruceHaley