Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: 1 critical vulnerability #417

Merged
merged 1 commit into from
May 4, 2024
Merged

fix: 1 critical vulnerability #417

merged 1 commit into from
May 4, 2024

Conversation

hamirmahal
Copy link
Contributor

@hamirmahal hamirmahal commented Apr 5, 2024
edited
Loading

fixes #416.

Problem

Several dependencies have issues. #416 (comment) has more details.

How this pull request fixes the problem

This pull request resolves the vulnerabilities that are easier to fix by updating package-lock.json.

@hamirmahal
Copy link
Contributor Author

Without this change

image

hamir@hamir-desktop:~/linguist (master)$  npm install
npm WARN deprecated @npmcli/move-file@1.1.2: This functionality has been moved to @npmcli/fs
npm WARN deprecated stable@0.1.8: Modern JS already guarantees Array#sort() is a stable sort, so this library is deprecated. See the compatibility table on MDN: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/sort#browser_compatibility
npm WARN deprecated @stylelint/postcss-markdown@0.36.2: Use the original unforked package instead: postcss-markdown
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated sourcemap-codec@1.4.8: Please use @jridgewell/sourcemap-codec instead
npm WARN deprecated @stylelint/postcss-css-in-js@0.37.3: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated svgo@1.3.2: This SVGO version is no longer supported. Upgrade to v2.x.x.
npm WARN deprecated core-js@3.21.0: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.

> browser-addon@5.0.7 prepare
> husky install

husky - Git hooks installed

added 1949 packages, and audited 1950 packages in 10s

262 packages are looking for funding
  run `npm fund` for details

55 vulnerabilities (1 low, 34 moderate, 19 high, 1 critical)

@hamirmahal
Copy link
Contributor Author

With this change

image

hamir@hamir-desktop:~/linguist (fix/critical-vulnerability)$  npm install
npm WARN deprecated stable@0.1.8: Modern JS already guarantees Array#sort() is a stable sort, so this library is deprecated. See the compatibility table on MDN: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/sort#browser_compatibility
npm WARN deprecated @npmcli/move-file@1.1.2: This functionality has been moved to @npmcli/fs
npm WARN deprecated @stylelint/postcss-markdown@0.36.2: Use the original unforked package instead: postcss-markdown
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated sourcemap-codec@1.4.8: Please use @jridgewell/sourcemap-codec instead
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated @stylelint/postcss-css-in-js@0.37.3: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated svgo@1.3.2: This SVGO version is no longer supported. Upgrade to v2.x.x.
npm WARN deprecated core-js@3.21.0: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.

> browser-addon@5.0.7 prepare
> husky install

husky - Git hooks installed

added 1958 packages, and audited 1959 packages in 10s

262 packages are looking for funding
  run `npm fund` for details

51 vulnerabilities (1 low, 32 moderate, 18 high)

@vitonsky
Copy link
Collaborator

vitonsky commented Apr 5, 2024

Too many changes with no clear context. Please explain in PR description what problem exactly we have, why and how this changes fix a problem.

@hamirmahal
Copy link
Contributor Author

I updated the pull request description. Let me if there's anything else I can do to clarify things.

hamirmahal
hamirmahal commented Apr 5, 2024
View reviewed changes
Copy link
Contributor Author

@hamirmahal hamirmahal left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The changes here are just a result of running npm audit fix.

@vitonsky vitonsky merged commit c977920 into translate-tools:master May 4, 2024
4 checks passed
@hamirmahal hamirmahal deleted the fix/critical-vulnerability branch May 4, 2024 18:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

1 critical vulnerability when running npm install
2 participants
@hamirmahal @vitonsky