search

chaijs / chai

BDD / TDD assertion framework for node.js and the browser that can be paired with any testing framework.
https://chaijs.github.io
MIT License
8.15k stars 698 forks source link

Update dependency on `get-func-name` to at least 2.0.1 to fix CVE #1539

Closed jsynacek closed 1 year ago

jsynacek commented 1 year ago

The current version string should be bumped to 2.0.1 to explicitly skip 2.0.0, which is susceptible to https://github.com/advisories/GHSA-4q6p-r6v2-jvc5.

keithamus commented 1 year ago

It uses the semver ^ which means unless your upstream project is pinning it to the susceptible version, 2.0.2 will be installed.

But feel free to make a PR changing the version in the package.json.

keithamus commented 1 year ago

fixed in https://github.com/chaijs/chai/commit/0ccd823cb3ee6a433156c4e23cc67de79d4f368d

BreakBB commented 1 year ago

Can you give an estimate when you want to release this change @keithamus ?

keithamus commented 1 year ago

@BreakBB https://github.com/chaijs/chai/releases/tag/v4.3.10

BreakBB commented 1 year ago

Absolutely awesome @keithamus 💪🏻 Insane response time 🥳