Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Version 1.12.5 #333

Merged
merged 3 commits into from
Feb 29, 2024
Merged

Version 1.12.5 #333

merged 3 commits into from
Feb 29, 2024

Conversation

nmanu1
Copy link
Contributor

@nmanu1 nmanu1 commented Feb 29, 2024
edited
Loading

Fixes

EmilyZhang777 and others added 3 commits February 1, 2024 14:53
@EmilyZhang777
Resolve Vulnerabilities (#330)
cb722b9 
This PR resolves the following vulnerabilities

Bump tmpl's version to 1.0.5 to avoid uncontrolled resource consumption when formatting a string
J=VULN-38389
TEST=auto

Ran npm run test. Also made sure running jambo commands locally works.
@nmanu1
Address vulnerabilities (#332)
7adeb96 
Address vulnerabilities by running `npm audit fix`. Some of the package updates include:
- upgrade `@babel/traverse` from v7.10.3 and v7.11.5 to v7.23.9 to prevent Incomplete List of Disallowed Inputs critical [vulnerability](https://nvd.nist.gov/vuln/detail/CVE-2023-45133) fixed in v7.23.2
- upgrade `handlebars` from v4.7.6 to v4.7.8 to prevent [Prototype Pollution](https://nvd.nist.gov/vuln/detail/cve-2021-23383) and [Remote Code Execution](https://nvd.nist.gov/vuln/detail/CVE-2021-23369) fixed in v4.7.7
- upgrade `lodash` from v4.17.20 to v4.17.21 to prevent [Command Injection](https://nvd.nist.gov/vuln/detail/CVE-2021-23337) and [ReDoS](https://nvd.nist.gov/vuln/detail/CVE-2020-28500) fixed in v4.17.21
- upgrade `shell-quote` from 1.7.2 to v1.8.1 to prevent [CVE-2021-42740](https://nvd.nist.gov/vuln/detail/CVE-2021-42740) fixed in v1.7.3

J=VULN-38731
TEST=none
@nmanu1
Update package version to 1.12.5
f6fa03f
@coveralls
Copy link

Coverage Status

coverage: 47.814%. remained the same
when pulling f6fa03f on hotfix/v1.12.5
into 52fde9e on master.

@nmanu1 nmanu1 merged commit 88a73e6 into master Feb 29, 2024
9 checks passed
@nmanu1 nmanu1 mentioned this pull request Feb 29, 2024
Merged
nmanu1 added a commit that referenced this pull request Feb 29, 2024
@nmanu1
Version 1.12.5 (#333)
ab560e0 
### Fixes
- Addressed various vulnerabilities from our dependencies (#330, #332)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sahilvaidya sahilvaidya sahilvaidya approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@nmanu1 @coveralls @sahilvaidya @EmilyZhang777