Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Version 1.12.5 #331

Closed
wants to merge 2 commits into from
Closed

Version 1.12.5 #331

wants to merge 2 commits into from

Conversation

EmilyZhang777
Copy link
Contributor

No description provided.

@EmilyZhang777
Resolve Vulnerabilities (#330)
cb722b9 
This PR resolves the following vulnerabilities

Bump tmpl's version to 1.0.5 to avoid uncontrolled resource consumption when formatting a string
J=VULN-38389
TEST=auto

Ran npm run test. Also made sure running jambo commands locally works.
@coveralls
Copy link

coveralls commented Feb 1, 2024
edited
Loading

Coverage Status

coverage: 47.814%. remained the same
when pulling 7adeb96 on hotfix/v1.12.5
into 52fde9e on master.

benmcginnis
benmcginnis previously approved these changes Feb 2, 2024
View reviewed changes
nmanu1
nmanu1 reviewed Feb 2, 2024
View reviewed changes
Copy link
Contributor

@nmanu1 nmanu1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same comments as in the other PR: can you update the PR description and bump the package version?

@nmanu1
Address vulnerabilities (#332)
7adeb96 
Address vulnerabilities by running `npm audit fix`. Some of the package updates include:
- upgrade `@babel/traverse` from v7.10.3 and v7.11.5 to v7.23.9 to prevent Incomplete List of Disallowed Inputs critical [vulnerability](https://nvd.nist.gov/vuln/detail/CVE-2023-45133) fixed in v7.23.2
- upgrade `handlebars` from v4.7.6 to v4.7.8 to prevent [Prototype Pollution](https://nvd.nist.gov/vuln/detail/cve-2021-23383) and [Remote Code Execution](https://nvd.nist.gov/vuln/detail/CVE-2021-23369) fixed in v4.7.7
- upgrade `lodash` from v4.17.20 to v4.17.21 to prevent [Command Injection](https://nvd.nist.gov/vuln/detail/CVE-2021-23337) and [ReDoS](https://nvd.nist.gov/vuln/detail/CVE-2020-28500) fixed in v4.17.21
- upgrade `shell-quote` from 1.7.2 to v1.8.1 to prevent [CVE-2021-42740](https://nvd.nist.gov/vuln/detail/CVE-2021-42740) fixed in v1.7.3

J=VULN-38731
TEST=none
@nmanu1 nmanu1 closed this Feb 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nmanu1 nmanu1 nmanu1 left review comments

@benmcginnis benmcginnis benmcginnis left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@EmilyZhang777 @coveralls @benmcginnis @nmanu1