search

jeffrifwald / babel-istanbul

Yet another JS code coverage tool that computes statement, line, function and branch coverage with module loader hooks to transparently add coverage when running tests. Supports all JS coverage use cases including unit tests, server side functional tests and browser tests. Built for scale.
Other
144 stars 23 forks source link

Bump fileset dependency version #73

Closed pdehaan closed 7 years ago

pdehaan commented 8 years ago

Re: https://nodesecurity.io/advisories/118

It looks like minimatch@<=3.0.1 may have a potential ReDoS. This PR just bumps fileset to 2.x which includes the latest minimatch.

Before:

$ nsp check

(+) 1 vulnerabilities found
┌───────────────┬───────────────────────────────────────────────────────────────────────────────────────────────────┐
│               │ Regular Expression Denial of Service                                                              │
├───────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
│ Name          │ minimatch                                                                                         │
├───────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
│ Installed     │ 2.0.10                                                                                            │
├───────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
│ Vulnerable    │ <=3.0.1                                                                                           │
├───────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
│ Patched       │ >=3.0.2                                                                                           │
├───────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
│ Path          │ babel-istanbul@0.11.0 > fileset@0.2.1 > minimatch@2.0.10                                          │
├───────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────┤
│ More Info     │ https://nodesecurity.io/advisories/118                                                            │
└───────────────┴───────────────────────────────────────────────────────────────────────────────────────────────────┘

After:

$ nsp check

(+) No known vulnerabilities found
toddw commented 7 years ago

@pdehaan is there anything else you would like to see to get this merged?

toddw commented 7 years ago

Sorry I meant to mention @jmcriffey please see above

mjrussell commented 7 years ago

👍 would be nice to get this merged to avoid npm install warnings

jeffrifwald commented 7 years ago

I'm going to see about updating the the current version of istanbul. They have addressed this security issue already. I'll keep this PR open though until I get it all merged. Thanks!

adamstankiewicz commented 7 years ago

@jmcriffey Any update on this?

jeffrifwald commented 7 years ago

Sorry for the delay. There is a regression in istanbul directly related to the glob update. I just now had some time to figure out what was going on. There is a now an updated version of babel-istanbul published at 0.12.1.