Skip to content

Upgrade libraries with security vulnerabilities #414

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
massakam merged 3 commits into from
May 13, 2025
Merged

Upgrade libraries with security vulnerabilities #414

massakam merged 3 commits into from
May 13, 2025

Conversation

@hrsakai
Copy link
Contributor

@hrsakai hrsakai commented May 12, 2025

Motivation

  • Fix some security vulnerabilities.

Modifications

  • Ran npm audit fix
8 vulnerabilities (7 moderate, 1 high)
↓
5 moderate severity vulnerabilities
  • Unable to upgrade @qiwi/npm-registry-client, so I can't fix 5 moderate severity vulnerabilities.
  • Ignoring these vulnerabilities for now, as dslint is a dev dependency.
# npm audit report

request  *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
fix available via `npm audit fix --force`
Will install dtslint@3.6.4, which is a breaking change
node_modules/request
  @qiwi/npm-registry-client  *
  Depends on vulnerable versions of request
  node_modules/@qiwi/npm-registry-client
    @definitelytyped/utils  >=0.0.88
    Depends on vulnerable versions of @qiwi/npm-registry-client
    node_modules/@definitelytyped/utils
      dtslint  >=3.6.6
      Depends on vulnerable versions of @definitelytyped/utils
      node_modules/dtslint

tough-cookie  <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
fix available via `npm audit fix --force`
Will install dtslint@3.6.4, which is a breaking change
node_modules/request/node_modules/tough-cookie

5 moderate severity vulnerabilities

Verifying this change

  • Make sure that the change passes the CI checks.

(Please pick either of the following options)

This change is a trivial rework / code cleanup without any test coverage.

(or)

This change is already covered by existing tests, such as (please describe tests).

(or)

This change added tests and can be verified as follows:

(example:)

  • Added integration tests for end-to-end deployment with large payloads (10MB)
  • Extended integration test for recovery after broker failure

Documentation

  • doc-required
    (Your PR needs to update docs and you will update later)

  • doc-not-needed
    (Please explain why)

  • doc
    (Your PR contains doc changes)

  • doc-complete
    (Docs have been already added)

@massakam massakam added this to the 1.13.0 milestone May 13, 2025
@massakam massakam merged commit 41f2575 into apache:master May 13, 2025
12 checks passed
@shibd shibd modified the milestones: 1.13.0, 1.14.0 May 26, 2025
shibd pushed a commit that referenced this pull request May 26, 2025
@hrsakai @shibd
Upgrade libraries with security vulnerabilities (#414)
13cd3ac 
* Upgrade libraries with security vulnerabilities

* Downgrade @definitelytyped/utils to 0.0.188

* Downgrade @definitelytyped/utils to 0.0.168

(cherry picked from commit 41f2575)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@massakam massakam massakam approved these changes

Assignees

@hrsakai hrsakai

Labels

no-need-doc release/v1.13.2 type/security

Projects

None yet

Milestone

1.14.0

Development

Successfully merging this pull request may close these issues.

3 participants

@hrsakai @massakam @shibd