chore: fix vuln: override autolinker ^4.0.0 by ramonpetgrave64 · Pull Request #785 · slsa-framework/slsa-verifier

ramonpetgrave64 · 2024-06-28T21:07:46Z

fixes https://github.com/slsa-framework/slsa-verifier/security/code-scanning/11

markdown-toc's latest v1.2.0 is still vulnerable via a transitive dependency, but hasn't received updates in a long time.

This PR overrides one of the other transitive dependencies to a non-vulnerable version.

more info here jonschlinkert/markdown-toc#156 (comment)

Testing process

Manually invoked make markdown-toc and it did succeed, while also adding a missing header in the README.
Made a few typos in the headers and markdown-toc did fix them.
Cloned markdown-toc, added the override, and its unit tests passed

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

ramonpetgrave64 · 2024-06-28T21:14:13Z

@laurentsimon @ianlewis @slugclub

package.json

Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>

loosebazooka · 2024-08-13T17:57:57Z

sorry I was logged in as distroless-bot

override autolinker >= 4.0.0 ^4.0.0

db0fee9

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

ramonpetgrave64 changed the title ~~deps: fix vuln: override autolinker >= 4.0.0 ^4.0.0~~ chore: fix vuln: override autolinker >= 4.0.0 ^4.0.0 Jun 28, 2024

ramonpetgrave64 marked this pull request as ready for review June 28, 2024 21:13

ramonpetgrave64 requested review from kpk47 and laurentsimon as code owners June 28, 2024 21:13

ramonpetgrave64 requested a review from ianlewis June 28, 2024 21:14

slugclub approved these changes Jul 2, 2024

View reviewed changes

package.json Outdated Show resolved Hide resolved

change to caret

60c2b9b

Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>

ramonpetgrave64 changed the title ~~chore: fix vuln: override autolinker >= 4.0.0 ^4.0.0~~ chore: fix vuln: override autolinker ^4.0.0 Jul 26, 2024

distroless-bot approved these changes Aug 13, 2024

View reviewed changes

loosebazooka approved these changes Aug 13, 2024

View reviewed changes

Merge branch 'main' into ramonpetgrave64-fix-markdown-toc-vuln

c210a46

ramonpetgrave64 requested a review from a team August 13, 2024 18:53

ramonpetgrave64 enabled auto-merge (squash) August 13, 2024 18:54

ramonpetgrave64 merged commit 3f37511 into slsa-framework:main Aug 13, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore: fix vuln: override autolinker ^4.0.0#785

chore: fix vuln: override autolinker ^4.0.0#785
ramonpetgrave64 merged 3 commits intoslsa-framework:mainfrom
ramonpetgrave64:ramonpetgrave64-fix-markdown-toc-vuln

ramonpetgrave64 commented Jun 28, 2024 •

edited

Loading

Uh oh!

ramonpetgrave64 commented Jun 28, 2024

Uh oh!

Uh oh!

loosebazooka commented Aug 13, 2024 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Conversation

ramonpetgrave64 commented Jun 28, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Testing process

Uh oh!

ramonpetgrave64 commented Jun 28, 2024

Uh oh!

Uh oh!

loosebazooka commented Aug 13, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

ramonpetgrave64 commented Jun 28, 2024 •

edited

Loading

loosebazooka commented Aug 13, 2024 •

edited

Loading