Closed akbarkz closed 2 years ago
Does this require a major version change in postcss? If not then an npm update should take care of it in any project due to the semantic versioning rule already in place:
^8.4.6
On Tue, Feb 8, 2022 at 5:48 AM Akbar Abdrakhmanov @.***> wrote:
To Reproduce
Add Snyk https://app.snyk.io/ as an application in GitHub actions of a repo, that should add a pipeline step security/snyk. Have sanitize-html as a dependency of a project and push PR to GitHub. Expected behavior
I expect security/snyk pipeline not to break with any vulnerability issues. Describe the bug
In our project security/snyk pipeline broke with an error regarding one of the dependencies having a vulnerability issue. Details
Namely, nanoid that is used in postcss that you guys are using. It's complaining on nanoid's version 3.1.30. And the issue is already fixed in 3.1.31. The version of sanizite-html that we use is 2.6.1.
Version of Node.js: 14.17.6
Server Operating System: Here's the screenshot from Snyk's report: [image: image] https://user-images.githubusercontent.com/15943863/152967283-e21368fa-fa0c-460f-91c8-2c6b2188afc5.png
— Reply to this email directly, view it on GitHub https://github.com/apostrophecms/sanitize-html/issues/537, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAH27PAHWK5LRFREL4CWTLU2DYH7ANCNFSM5N2CLQEA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
You are receiving this because you are subscribed to this thread.Message ID: @.***>
--
THOMAS BOUTELL | CHIEF TECHNOLOGY OFFICER APOSTROPHECMS | apostrophecms.com | he/him/his
You're right, removing yarn.lock and reinstalling all the packages solved the issue. Sorry for bothering.
No worries.
On Wed, Feb 9, 2022 at 8:39 AM Akbar Abdrakhmanov @.***> wrote:
You're right, removing yarn.lock and reinstalling all the packages solved the issue. Sorry for bothering.
— Reply to this email directly, view it on GitHub https://github.com/apostrophecms/sanitize-html/issues/537#issuecomment-1033772001, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAH27OVK5ROHJYGCDHKMU3U2JVC7ANCNFSM5N2CLQEA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
You are receiving this because you commented.Message ID: @.***>
--
THOMAS BOUTELL | CHIEF TECHNOLOGY OFFICER APOSTROPHECMS | apostrophecms.com | he/him/his
To Reproduce
Add Snyk as an application in GitHub actions of a repo, that should add a pipeline step
security/snyk
. Havesanitize-html
as a dependency of a project and push PR to GitHub.Expected behavior
I expect
security/snyk
pipeline not to break with any vulnerability issues.Describe the bug
In our project
security/snyk
pipeline broke with an error regarding one of the dependencies having a vulnerability issue.Details
Namely,
nanoid
that is used inpostcss
that you guys are using. It's complaining onnanoid
's version 3.1.30. And the issue is already fixed in 3.1.31. The version ofsanizite-html
that we use is 2.6.1.Version of Node.js: 14.17.6
Server Operating System: Docker image
node:16.13-stretch
Screenshots Here's the screenshot from Snyk's report:![image](https://user-images.githubusercontent.com/15943863/152967283-e21368fa-fa0c-460f-91c8-2c6b2188afc5.png)