copyfiles icon indicating copy to clipboard operation
copyfiles copied to clipboard

Published 20 hours ago verified publisher icon calvinmetcalf

Fix: Upgrade yargs to ^16.0.0

Open smeltofelderberries opened this issue 4 years ago • 8 comments

Hi,

There is a patch to a high severity vulnerability available for yargs. Can you please update to version ^16.0.0 or so? It would resolve CVE-2020-7774.

https://snyk.io/test/npm/yargs/15.3.1

Thank you in advance!

smeltofelderberries avatar Nov 23 '20 19:11 smeltofelderberries

this isn't actually a high severity bug here so I'll get around to this today or tomorrow, feel free to open a pull request if you want to speed things along

calvinmetcalf avatar Nov 24 '20 14:11 calvinmetcalf

@calvinmetcalf , I have a PR for this, which also resolves the Prototype Pollution vulnerability in y18n by upgrading to yargs 16.1.1.

All tests pass. Screen Shot 2020-11-26 at 7 28 52 AM

If you provide me the appropriate access rights, I can push up my branch and open a PR.

arielperez82 avatar Nov 26 '20 07:11 arielperez82

you don't need any rights to open up a PR, just open it from you're forked version to mine

calvinmetcalf avatar Nov 27 '20 13:11 calvinmetcalf

Ah, that's the rub. I never forked it. Just pulled down your repo and tried to create a branch.

I've attached the patch file here.

If that doesn't work, I can fork and open the PR.

Cheers.

On Fri, Nov 27, 2020 at 1:46 PM Calvin Metcalf [email protected] wrote:

you don't need any rights to open up a PR, just open it from you're forked version to mine

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/calvinmetcalf/copyfiles/issues/96#issuecomment-734842628, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAUTXIQF4NTML263GIQEJXLSR6USDANCNFSM4T7432ZQ .

arielperez82 avatar Nov 27 '20 18:11 arielperez82

ok pushed up a fix will publish when tests pass

On Fri, Nov 27, 2020 at 1:16 PM Ariel Perez [email protected] wrote:

Ah, that's the rub. I never forked it. Just pulled down your repo and tried to create a branch.

I've attached the patch file here.

If that doesn't work, I can fork and open the PR.

Cheers.

On Fri, Nov 27, 2020 at 1:46 PM Calvin Metcalf [email protected] wrote:

you don't need any rights to open up a PR, just open it from you're forked version to mine

— You are receiving this because you commented. Reply to this email directly, view it on GitHub < https://github.com/calvinmetcalf/copyfiles/issues/96#issuecomment-734842628 , or unsubscribe < https://github.com/notifications/unsubscribe-auth/AAUTXIQF4NTML263GIQEJXLSR6USDANCNFSM4T7432ZQ

.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/calvinmetcalf/copyfiles/issues/96#issuecomment-734943793, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAITRH5DMQV65DGJ325GJM3SR7UJRANCNFSM4T7432ZQ .

-- -Calvin W. Metcalf

calvinmetcalf avatar Nov 27 '20 18:11 calvinmetcalf

Awesome. Thanks.

I ran them locally and all looked good.

On Fri, Nov 27, 2020, 6:27 PM Calvin Metcalf [email protected] wrote:

ok pushed up a fix will publish when tests pass

On Fri, Nov 27, 2020 at 1:16 PM Ariel Perez [email protected] wrote:

Ah, that's the rub. I never forked it. Just pulled down your repo and tried to create a branch.

I've attached the patch file here.

If that doesn't work, I can fork and open the PR.

Cheers.

On Fri, Nov 27, 2020 at 1:46 PM Calvin Metcalf <[email protected]

wrote:

you don't need any rights to open up a PR, just open it from you're forked version to mine

— You are receiving this because you commented. Reply to this email directly, view it on GitHub <

https://github.com/calvinmetcalf/copyfiles/issues/96#issuecomment-734842628

, or unsubscribe <

https://github.com/notifications/unsubscribe-auth/AAUTXIQF4NTML263GIQEJXLSR6USDANCNFSM4T7432ZQ

.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub < https://github.com/calvinmetcalf/copyfiles/issues/96#issuecomment-734943793 , or unsubscribe < https://github.com/notifications/unsubscribe-auth/AAITRH5DMQV65DGJ325GJM3SR7UJRANCNFSM4T7432ZQ

.

-- -Calvin W. Metcalf

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/calvinmetcalf/copyfiles/issues/96#issuecomment-734946300, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAUTXIV4ZUAJA72NPPOWN7TSR7VSDANCNFSM4T7432ZQ .

arielperez82 avatar Nov 27 '20 18:11 arielperez82

Note that this change should be a breaking change. Previously, copyfiles would work on node 8.x as it was using yargs 15.3.1, which was using engines >= 8. Now, copyfiles uses yargs 16.1.0, using engines >= 10.

wickedest avatar Nov 30 '20 20:11 wickedest

Good callout Jamie.

On Mon, Nov 30, 2020 at 8:42 PM Jamie Peabody [email protected] wrote:

Note that this PR should be a breaking change. Previously, copyfiles would work on node 8.x as it was using yargs 15.3.1, which was using engines >= 8 https://github.com/yargs/yargs/blob/v15.3.1/package.json#L75. Now, copyfiles uses yargs 16.1.0, using engines >= 10 https://github.com/yargs/yargs/blob/v16.1.0/package.json#L117.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/calvinmetcalf/copyfiles/issues/96#issuecomment-736030926, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAUTXIS2EWD6WJ52PMRCJILSSP7TVANCNFSM4T7432ZQ .

arielperez82 avatar Nov 30 '20 20:11 arielperez82