8000 fix(deps): esbuild, fetch-mock, octokit/request by benpbolton · Pull Request #638 · octokit/graphql.js · GitHub
[go: up one dir, main page]
Skip to content

fix(deps): esbuild, fetch-mock, octokit/request #638

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Feb 20, 2025
Merged

fix(deps): esbuild, fetch-mock, octokit/request #638

merged 2 commits into from
Feb 20, 2025

Conversation

benpbolton
Copy link

This aims to resolve several npm audit vulnerabilities with the 7.x branch.

Before the change?

10 vulnerabilities (4 moderate, 5 high, 1 critical)

CleanShot 2025-02-20 at 07 34 19

After the change?

1 moderate severity vulnerability

CleanShot 2025-02-20 at 07 34 44

Note: this CVE is already addressed by the bump in @octokit/request to 8.4.1, however https://registry.npmjs.org/-/npm/v1/security/advisories/bulk incorrectly 'simplifies' affected versions:

{"@octokit/request":[{"id":1102260,"url":"https://github.com/advisories/GHSA-rmvr-2pp2-xj38","title":"@octokit/request has a Regular Expression in fetchWrapper that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking","severity":"moderate","vulnerable_versions":">=1.0.0 <9.2.1","cwe":["CWE-1333"],"cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}}]}

vs. GitHub registry (https://api.github.com/advisories/GHSA-rmvr-2pp2-xj38):

...
  "vulnerabilities": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@octokit/request"
      },
      "vulnerable_version_range": ">= 9.0.0-beta.1, < 9.2.1",
      "first_patched_version": "9.2.1",
      "vulnerable_functions": [

      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@octokit/request"
      },
      "vulnerable_version_range": ">= 1.0.0, < 8.4.1",
      "first_patched_version": "8.4.1",
      "vulnerable_functions": [

      ]
    }
  ],
  ...

Pull request checklist

  • Tests for the changes have been added (for bug fixes / features)
  • Docs have been reviewed and added / updated if needed (for bug fixes / features)

Does this introduce a breaking change?

No breaking changes revealed by the tests.

  • Yes
  • No

benpbolton and others added 2 commits February 20, 2025 07:29
@benpbolton
fix(deps): esbuild, fetch-mock, octokit/request
0ed1849 
@octokit/request to "^8.4.1 for GHSA-rmvr-2pp2-xj38
esbuild to ~0.25.0 for GHSA-67mh-4wv8-2f99
replace fetch-mock from "fetch-mock": "npm:@gr2m/fetch-mock@9.11.0-pull-request-644.1" with "fetch-mock": "^10.1.1" for GHSA-9wv6-86v2-598j
@wolfy1339
bump fetch-mock to v11
9c9d76b
@wolfy1339
Copy link
Member

Note: this CVE is already addressed by the bump in @octokit/request to 8.4.1, however https://registry.npmjs.org/-/npm/v1/security/advisories/bulk incorrectly 'simplifies' affected versions:

{"@octokit/request":[{"id":1102260,"url":"https://github.com/advisories/GHSA-rmvr-2pp2-xj38","title":"@octokit/request has a Regular Expression in fetchWrapper that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking","severity":"moderate","vulnerable_versions":">=1.0.0 <9.2.1","cwe":["CWE-1333"],"cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}}]}

That seems like it's a bug and should be reported to NPM

@wolfy1339 wolfy1339 merged commit 267a17a into octokit:7.x Feb 20, 2025
6 checks passed
@github-actions GitHub Actions
Copy link

🎉 This PR is included in version 7.1.1 🎉

The release is available on:

Your semantic-release bot 📦🚀

@jaredcobb
Copy link

I was just about to submit this same fix. Thanks @benpbolton!

@benpbolton benpbolton mentioned this pull request Feb 20, 2025
Closed
2 tasks
@benpbolton benpbolton deleted the chore/update_npm_deps branch February 20, 2025 21:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
released on @7.x
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@benpbolton @wolfy1339 @jaredcobb
0