cordova-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CB-11484) coho test failure (library vulnerability)
Date Sat, 25 Jun 2016 08:59:14 GMT

    [ https://issues.apache.org/jira/browse/CB-11484?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15349519#comment-15349519
] 

ASF GitHub Bot commented on CB-11484:
-------------------------------------

GitHub user purplecabbage opened a pull request:

    https://github.com/apache/cordova-coho/pull/128

    CB-11484 Fix library vulnerability in nlf

    Removed unused dependencies.

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/purplecabbage/cordova-coho CB-11484

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/cordova-coho/pull/128.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #128
    
----
commit 1072e902d794846f6027ddd5228a319d9d122643
Author: Jesse MacFadyen <purplecabbage@gmail.com>
Date:   2016-06-25T08:57:04Z

    Fix library vulnerability in nlf

----


> coho test failure (library vulnerability)
> -----------------------------------------
>
>                 Key: CB-11484
>                 URL: https://issues.apache.org/jira/browse/CB-11484
>             Project: Apache Cordova
>          Issue Type: Bug
>          Components: Coho
>            Reporter: Shazron Abdullah
>            Priority: Critical
>
> Our use of nlf@1.1.0 contains down the tree, a vulnerable library minimatch@2.0.10 
> {code}
> (+) 1 vulnerabilities found
> ┌───────────────┬────────────────────────────────────────────────────────────────────────────┐
> │               │ Regular Expression Denial of Service                          
            │
> ├───────────────┼────────────────────────────────────────────────────────────────────────────┤
> │ Name          │ minimatch                                                     
            │
> ├───────────────┼────────────────────────────────────────────────────────────────────────────┤
> │ Installed     │ 2.0.10                                                        
            │
> ├───────────────┼────────────────────────────────────────────────────────────────────────────┤
> │ Vulnerable    │ <=3.0.1                                                    
               │
> ├───────────────┼────────────────────────────────────────────────────────────────────────────┤
> │ Patched       │ >=3.0.2                                                    
               │
> ├───────────────┼────────────────────────────────────────────────────────────────────────────┤
> │ Path          │ cordova-coho@0.0.3 > nlf@1.1.0 > glob@4.5.3 > minimatch@2.0.10
            │
> ├───────────────┼────────────────────────────────────────────────────────────────────────────┤
> │ More Info     │ https://nodesecurity.io/advisories/118                        
            │
> └───────────────┴────────────────────────────────────────────────────────────────────────────┘
> {code}
> Filed for nlf:
> https://github.com/iandotkelly/nlf/issues/40
> Filed for glob-all (which later versions of nlf uses):
> https://github.com/jpillora/node-glob-all/issues/12
> glob-all uses glob, which patched this 4 days ago in 7.0.5:
> https://github.com/isaacs/node-glob/issues/268



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org


Mime
View raw message