Skip to content

Dependency update for jest-reporters, addressing CVE-2022-25883#14401

Merged
SimenB merged 3 commits into
jestjs:mainfrom
karlnorling:sec/semver-CVE-2022-25883
Aug 12, 2023
Merged

Dependency update for jest-reporters, addressing CVE-2022-25883#14401
SimenB merged 3 commits into
jestjs:mainfrom
karlnorling:sec/semver-CVE-2022-25883

Conversation

@karlnorling

Copy link
Copy Markdown
Contributor

Summary

Addressing https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795 for semver coming in fromistanbul-lib-instrument@^5.1.0 and below.

See: istanbuljs/istanbuljs#731

  • istanbul-lib-instrument updated from 5.10.0 to 6.0.0
    • istanbul-lib-instrument dropping support for node 10
    • fixing semver vuln. CVE-2022-25883

Test plan

Green CI.

@linux-foundation-easycla

linux-foundation-easycla Bot commented Aug 10, 2023

Copy link
Copy Markdown

CLA Signed

The committers listed above are authorized under a signed CLA.

  • ✅ login: karlnorling / name: Karl Norling (94c1216)
  • ✅ login: SimenB / name: Simen Bekkhus (93b5ce3, 720ba68)

@netlify

netlify Bot commented Aug 10, 2023

Copy link
Copy Markdown

Deploy Preview for jestjs ready!

Built without sensitive environment variables

Name Link
🔨 Latest commit 720ba68
🔍 Latest deploy log https://app.netlify.com/sites/jestjs/deploys/64d67b64b191e80008c66f96
😎 Deploy Preview https://deploy-preview-14401--jestjs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@karlnorling karlnorling force-pushed the sec/semver-CVE-2022-25883 branch from 9a2831e to 6da7366 Compare August 10, 2023 13:30
@SimenB

SimenB commented Aug 10, 2023

Copy link
Copy Markdown
Member

The fixed semver is in semver range, so you don't need this update for your own projects.


That said, happy to upgrade to the new major here regardless. Could you run yarn, add a changelog entry and sign the CLA?

@karlnorling karlnorling force-pushed the sec/semver-CVE-2022-25883 branch 2 times, most recently from 7bbe8ce to ddf8a7f Compare August 10, 2023 14:37
@karlnorling

Copy link
Copy Markdown
Contributor Author

@SimenB I've added Changelog message and signed the EasyCLA (10 times now), but it doesn't seem to update.

Then there seems to be a timeout test error https://github.com/jestjs/jest/actions/runs/5822710774/job/15788003352?pr=14401#step:7:121

 - istanbul-lib-instrument updated from 5.10.0 to 6.0.0
   - istanbul-lib-instrument dropping support for node 10
   - fixing semver vuln. CVE-2022-25883
@karlnorling karlnorling force-pushed the sec/semver-CVE-2022-25883 branch from fe92f35 to 94c1216 Compare August 11, 2023 16:29
@karlnorling

Copy link
Copy Markdown
Contributor Author

@SimenB I've squashed changes. CLA is sloved.

@SimenB SimenB left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@SimenB SimenB merged commit 25a8785 into jestjs:main Aug 12, 2023
@karlnorling karlnorling deleted the sec/semver-CVE-2022-25883 branch August 14, 2023 08:39
@SimenB

SimenB commented Aug 21, 2023

Copy link
Copy Markdown
Member

https://github.com/jestjs/jest/releases/tag/v29.6.3

@github-actions

Copy link
Copy Markdown

This pull request has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
Please note this issue tracker is not a help forum. We recommend using StackOverflow or our discord channel for questions.

@github-actions github-actions Bot locked as resolved and limited conversation to collaborators Sep 21, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants