optic icon indicating copy to clipboard operation
optic copied to clipboard
verified publisher icon opticdev

Update latest-version + update-notifier packages

Open juliangrube1988 opened this issue 2 years ago • 6 comments

Describe the bug Optic v0.50.10 depends on vulnerable version of latest-version.

To Reproduce Steps to reproduce the behavior:

  1. npm install @useoptic/optic
  2. npm audit

Expected behavior latest-version > 5.1.0

Details (please complete the following information):

  • Optic v0.50.10
latest-version  0.2.0 - 5.1.0
   Depends on vulnerable versions of package-json
   node_modules/latest-version
     @useoptic/optic  >=0.36.6-0
     Depends on vulnerable versions of latest-version
     Depends on vulnerable versions of update-notifier
     node_modules/@useoptic/optic
     update-notifier  0.2.0 - 5.1.0
     Depends on vulnerable versions of latest-version
     node_modules/update-notifier

juliangrube1988 avatar Oct 19 '23 11:10 juliangrube1988

https://github.com/advisories/GHSA-pfrx-2q88-qq97

unless i'm mistaken, it looks like there's actually a few packages here to sort out,

➜ npm audit
# npm audit report

got  <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install @useoptic/[email protected], which is a breaking change
node_modules/got
  package-json  <=6.5.0
  Depends on vulnerable versions of got
  node_modules/package-json
    latest-version  0.2.0 - 5.1.0
    Depends on vulnerable versions of package-json
    node_modules/latest-version
      @useoptic/optic  >=0.36.6-0
      Depends on vulnerable versions of latest-version
      Depends on vulnerable versions of update-notifier
      node_modules/@useoptic/optic
      update-notifier  0.2.0 - 5.1.0
      Depends on vulnerable versions of latest-version
      node_modules/update-notifier

5 moderate severity vulnerabilities

To address all issues (including breaking changes), run:

notnmeyer avatar Oct 20 '23 13:10 notnmeyer

Will you create a new Release for this? Yesterdays version 0.50.12 does not include those changes

juliangrube1988 avatar Oct 25 '23 13:10 juliangrube1988

Hi, I just released 0.50.13 which includes this change

niclim avatar Oct 25 '23 16:10 niclim

Thanks but the issue still persits with version 0.50.13:

node_modules/got
  package-json  <=6.5.0
  Depends on vulnerable versions of got
  node_modules/package-json
    latest-version  0.2.0 - 5.1.0
    Depends on vulnerable versions of package-json
    node_modules/latest-version
      update-notifier  0.2.0 - 5.1.0
      Depends on vulnerable versions of latest-version
      node_modules/update-notifier
        @useoptic/optic  >=0.36.6-0
        Depends on vulnerable versions of update-notifier
        node_modules/@useoptic/optic

5 moderate severity vulnerabilities

juliangrube1988 avatar Oct 26 '23 07:10 juliangrube1988

@juliangrube1988 please try 0.50.14,

➜ cat package.json
{
  "dependencies": {
    "@useoptic/optic": "^0.50.14"
  }
}

➜ npm audit
found 0 vulnerabilities

notnmeyer avatar Oct 26 '23 15:10 notnmeyer

Hey, sorry we had to revert these changes - the newer packages are ESM only, which we need to spend some time to figure out on how to support

niclim avatar Oct 26 '23 15:10 niclim