Skip to content
This repository has been archived by the owner on Oct 28, 2020. It is now read-only.

Update acorn dependency for security updates #114

Merged
merged 1 commit into from
Sep 3, 2020
Merged

Update acorn dependency for security updates #114

merged 1 commit into from
Sep 3, 2020

Conversation

GUI
Copy link
Contributor

@GUI GUI commented Mar 9, 2020

es-check pins the acorn dependency to 6.1.1, which has a security issue:
https://www.npmjs.com/advisories/1488

You'd have to run untrusted user input through es-check for this to potentially be an issue, so I'm not sure how likely that is. However, it would still be nice to get this patched and a new version of es-check released so that this doesn't cause issues in npm audit/yarn audit types of vulnerability reports whenever es-check is used.

Proposed Changes

  • Update the acorn dependency requirement from 6.1.1 to ^6.4.1. Versions 6.4.1 or 7.1.1 and later of acorn are patched. I thought it might be beneficial to loosen the version constraint at the same time, so potentially future patches on the 6.x series could automatically be upgraded, rather than requiring explicit upgrades on es-check's part. But let me know if you'd prefer keeping it pinned to an exact version, and happy to update this pull request.

Thanks!

@GUI
Update acorn dependency for security updates.
6619b9a 
es-check pins the acorn dependency to 6.1.1, which has a security issue:
https://www.npmjs.com/advisories/1488

This updates and loosens the version constraint to a patched version.
@apepper
Copy link

apepper commented Mar 12, 2020
edited
Loading

Fixes #115.

@akellbl4 akellbl4 mentioned this pull request Mar 12, 2020
Merged
apepper
apepper approved these changes Mar 17, 2020
View reviewed changes
Copy link

@apepper apepper left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM (6619b9a)

apepper
apepper approved these changes Mar 17, 2020
View reviewed changes
Copy link

@apepper apepper left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM (6619b9a) (Sorry for the spam)

@bigsergey
Copy link

Can we merge PR?

@cssagogo
Copy link

Any update on this?

@apepper apepper mentioned this pull request Jul 10, 2020
Closed
@AnaA95
Copy link

AnaA95 commented Jul 17, 2020

Hey, any updates?

@ceisele-r
Copy link

Hey, did this got lost? What's blocking the merge?

@jakiestfu jakiestfu merged commit a43d3a4 into dollarshaveclub:master Sep 3, 2020
@ceisele-r ceisele-r mentioned this pull request Sep 4, 2020
Open
@apepper
Copy link

apepper commented Sep 4, 2020

@jakiestfu Thank you for merging this PR! Any ETA when a new release of es-check will be published to npmjs.com?

@stevehobbsdev
Copy link

Any update on a release? We'd like to upgrade to take care of vulnerabilities reported for Acorn.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@apepper apepper apepper approved these changes

@cssagogo cssagogo cssagogo approved these changes

@jakiestfu jakiestfu jakiestfu approved these changes

@yowainwright yowainwright yowainwright approved these changes

@bigsergey bigsergey bigsergey approved these changes

@akellbl4 akellbl4 akellbl4 approved these changes

@iadcode iadcode iadcode approved these changes

@AnaA95 AnaA95 AnaA95 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.