Skip to content

security(deps): bump filenamify-url to 2.1.1#393

Merged
tschaub merged 1 commit intotschaub:mainfrom
AviVahl:filenamify2-audit-fix
Jun 14, 2021
Merged

security(deps): bump filenamify-url to 2.1.1#393
tschaub merged 1 commit intotschaub:mainfrom
AviVahl:filenamify2-audit-fix

Conversation

@AviVahl
Copy link
Copy Markdown

@AviVahl AviVahl commented Jun 10, 2021
edited
Loading

regenerated lock file from scratch to get back to 0 vulnerabilities

fixes:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ normalize-url                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.5.1 <5.0.0 || >=5.3.1 <6.0.0 || >=6.0.1                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gh-pages                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gh-pages > filenamify-url > humanize-url > normalize-url     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1755                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

security(deps): bump filenamify-url to 2.1.1
d49620e 
regenerated lock file from scratch to get back to 0 vulnerabilities
TyMick
TyMick approved these changes Jun 10, 2021
View reviewed changes
Copy link
Copy Markdown

@TyMick TyMick left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For what it's worth, the only breaking change in filenamify-url v2 is that it requires Node.js 8, so no other code changes should be necessary. 👍🏼

@TyMick
Copy link
Copy Markdown

TyMick commented Jun 10, 2021

Though I'm not sure that regenerating the lockfile was necessary—npm install filenamify-url@2 probably would've been sufficient to upgrade normalize-url.

@tomhsiao1260 tomhsiao1260 mentioned this pull request Jun 10, 2021
Closed
@AviVahl
Copy link
Copy Markdown
Author

AviVahl commented Jun 10, 2021

Though I'm not sure that regenerating the lockfile was necessary—npm install filenamify-url@2 probably would've been sufficient to upgrade normalize-url.

There were other audit failures from locked deps.

@emilbader
Copy link
Copy Markdown

emilbader commented Jun 10, 2021

Related issue: sindresorhus/filenamify-url#9
Related commit in humanize-url: sindresorhus/humanize-url@d013ec7

@AviVahl
Copy link
Copy Markdown
Author

AviVahl commented Jun 14, 2021

heya @tschaub, any chance you've got time to review this? :)

@tschaub tschaub merged commit a4c9eee into tschaub:main Jun 14, 2021
@tschaub
Copy link
Copy Markdown
Owner

tschaub commented Jun 14, 2021
edited
Loading

Thanks, @AviVahl.

There are automated security updates configured for this repo, but they can take up to 7 days from the time of an alert. The alert for normalize-url was still only 6 days old.

@AviVahl AviVahl deleted the filenamify2-audit-fix branch June 15, 2021 07:35
@blackr1234 blackr1234 mentioned this pull request Jun 15, 2021
Closed
@skratchdot
Copy link
Copy Markdown

skratchdot commented Jun 17, 2021

I think this change broke our ci.

we clone our repo via something like:

[email protected]:org/repo.git

our ci job now fails during a gh-pages step with the following error:

Invalid URL: http:[email protected]:org/repo.git

@tschaub tschaub mentioned this pull request Jun 18, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@TyMick TyMick TyMick approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@AviVahl @TyMick @emilbader @tschaub @skratchdot