Semantic-UI-CSS icon indicating copy to clipboard operation
Semantic-UI-CSS copied to clipboard

Published 20 hours ago verified publisher icon Semantic-Org

New release because of CVE-2019-11358

Open JeroenKnoops opened this issue 6 years ago • 1 comments

This CVE: https://nvd.nist.gov/vuln/detail/CVE-2019-11358 resulted in some security alerts in projects which use semantic-ui-css

Screenshot 2019-05-03 at 09 44 00

This is caused by the jquery dependency.

Unfortunately you cannot easily update the depencendies because the dependency is to version x.*

  "dependencies": {
    "jquery": "x.*"
  }

I had to update the yarn.lock files manually in several packages to update this dependency. (see https://github.com/Charterhouse/hush-hush/pull/6/commits/d74266128ccb2aa18fc9f88c097463ac72099b3c )

Can you make a new minor release (even without changes) so people can fix the problem by running: yarn upgrade-interactive?

JeroenKnoops avatar May 03 '19 07:05 JeroenKnoops

Because they're specifying x.*, this doesn't actually require another release.

With npm, I've found that the following works:

  • Remove semantic-ui-css from package.json
  • npm install
  • Add semantic-ui-css back
  • npm install

Doesn't require any manual fiddling with package-lock.json or deleting node_modules. Hopefully a similar approach will work for folks on Yarn :)

alyssaruth avatar May 15 '20 13:05 alyssaruth