Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Vulnerabilities in @toolpad/core #4478

Closed
PetarDimitrovZH opened this issue Nov 26, 2024 · 10 comments · Fixed by #4483
Closed

Security Vulnerabilities in @toolpad/core #4478

PetarDimitrovZH opened this issue Nov 26, 2024 · 10 comments · Fixed by #4483
Assignees
@bharatkashyap
Labels
priority: important This change can make a difference security Pull requests that address a security vulnerability

Comments

@PetarDimitrovZH
Copy link

PetarDimitrovZH commented Nov 26, 2024
edited by github-actions bot
Loading

At this moment there 6 high severity vulnerabilities in @toolpad/core package. Is there any plan to fix those?

Here is the output of npm audit:

image

Search keywords:
@github-actions github-actions bot added the status: waiting for maintainer These issues haven't been looked at yet by a maintainer label Nov 26, 2024
@Janpot
Copy link
Member

Janpot commented Nov 26, 2024
edited
Loading

upstream issue vercel/title#85. looks like it's fixed in their latest version.

@PetarDimitrovZH
Copy link
Author

I am now with @toolpad/core: 0.10.0, the latest version in npm. In which release you are planning to publish the fixes?

@Janpot
Copy link
Member

Janpot commented Nov 26, 2024

yes it will be part of next version. Just to note that the offending cross-spawn dependency is not being called. There is no real vulnerability here other than on paper.

@PetarDimitrovZH
Copy link
Author

Ok, thanks a lot!

@github-actions github-actions bot removed the status: waiting for maintainer These issues haven't been looked at yet by a maintainer label Nov 26, 2024
@github-actions GitHub Actions
Copy link

This issue has been closed. If you have a similar problem but not exactly the same, please open a new issue.
Now, if you have additional information related to this issue or things that could help future readers, feel free to leave a comment.

Note

@Petar-Dimitrov-AXA How did we do? Your experience with our support team matters to us. If you have a moment, please share your thoughts in this short Support Satisfaction survey.

@Janpot
Copy link
Member

Janpot commented Nov 26, 2024

we can leave this open for tracking purposes

@Janpot Janpot reopened this Nov 26, 2024
@Janpot Janpot added priority: important This change can make a difference security Pull requests that address a security vulnerability labels Nov 26, 2024
@bharatkashyap bharatkashyap mentioned this issue Nov 27, 2024
Merged
@github-actions GitHub Actions
Copy link

This issue has been closed. If you have a similar problem but not exactly the same, please open a new issue.
Now, if you have additional information related to this issue or things that could help future readers, feel free to leave a comment.

Note

@Petar-Dimitrov-AXA How did we do? Your experience with our support team matters to us. If you have a moment, please share your thoughts in this short Support Satisfaction survey.

@rolandjitsu
Copy link

@Janpot would it make sense to relax the dependencies so that patches are picked up on? E.g. in

toolpad/packages/toolpad-utils/package.json

Line 64 in b9315b6

"title": "4.0.1",

one could use:

"title": "~4.0.1",

@Janpot
Copy link
Member

Janpot commented Dec 8, 2024

yes, I wouldn't mind to even widen it to ^4.0.1. are you interested in opening a PR for this?

@rolandjitsu
Copy link

yes, I wouldn't mind to even widen it to ^4.0.1. are you interested in opening a PR for this?

Sure, I can.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bharatkashyap bharatkashyap

Labels
priority: important This change can make a difference security Pull requests that address a security vulnerability
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[core] Remove/update offending deps bharatkashyap/mui-toolpad
4 participants
@rolandjitsu @Janpot @bharatkashyap @PetarDimitrovZH