search

iTwin / itwinjs-core

Monorepo for iTwin.js Library
https://www.itwinjs.org
MIT License
620 stars 210 forks source link

Resolve GHSA-gcx4-mw62-g8wm (backport #7189) [release/4.9.x] #7191

Closed mergify[bot] closed 1 month ago

mergify[bot] commented 1 month ago 

┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ DOM Clobbering Gadget found in rollup bundled scripts  │
│                     │ that leads to XSS                                      │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ rollup                                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=4.0.0 <4.22.4                                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=4.22.4                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ ../../test-apps/display-performance-test-app >         │
│                     │ vite@5.4.6 > rollup@4.20.0                             │
│                     │                                                        │
│                     │ ../../test-apps/display-performance-test-app >         │
│                     │ vite-plugin-inspect@0.8.4 > vite@5.4.6 > rollup@4.20.0 │
│                     │                                                        │
│                     │ ../../test-apps/display-test-app > vite@5.4.6 >        │
│                     │ rollup@4.20.0                                          │
│                     │                                                        │
│                     │ ... Found 4 paths, run `pnpm why rollup` for more      │
│                     │ information                                            │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-gcx4-mw62-g8wm      │
└─────────────────────┴────────────────────────────────────────────────────────┘
```<hr>This is an automatic backport of pull request #7189 done by [Mergify](https://mergify.com).
mergify[bot] commented 1 month ago

Cherry-pick of 2b0b0406a97a8be8defd51ea8a2a7c0131510fa8 has failed:

On branch mergify/bp/release/4.9.x/pr-7189
Your branch is up to date with 'origin/release/4.9.x'.

You are currently cherry-picking commit 2b0b0406a9.
  (fix conflicts and run "git cherry-pick --continue")
  (use "git cherry-pick --skip" to skip this patch)
  (use "git cherry-pick --abort" to cancel the cherry-pick operation)

Unmerged paths:
  (use "git add <file>..." to mark resolution)
    both modified:   common/config/rush/pnpm-lock.yaml

no changes added to commit (use "git add" and/or "git commit -a")

To fix up this pull request, you can check it out locally. See documentation: https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/checking-out-pull-requests-locally