Update jsonld dependency to resolve undici CVEs

linkeddata / rdflib.js

Linked Data API for JavaScript

http://linkeddata.github.io/rdflib.js/doc/

Other

561 stars 142 forks source link

Update jsonld dependency to resolve undici CVEs #646

Closed paulslauenwhite closed 2 months ago

paulslauenwhite commented 2 months ago

rdflib.js has the following dependency hierarchy:

rdflib-2.2.34-1
- jsonld-8.3.2
  - http-client-3.4.1
  - undici-5.28.3

The undici dependency has the following CVEs:

To resolve these CVEs, the http-client dependency will need to upgrade to undici-5.28.4, which contains fixes for these CVEs.

bourgeoa commented 2 months ago

closed with https://github.com/linkeddata/rdflib.js/commit/25d13ff3767fbc6adbc8c9bb8f90840eddda8c70

bourgeoa commented 2 months ago

merged in rdflib@2.2.35

paulslauenwhite commented 2 months ago

Thanks @bourgeoa for the quick fix. Unfortunately, this fix (jsonld@8.3.2) did not resolve these undici CVEs. Looks like jsonld dependency will need to be upgraded to include a version of http-client that includes undici-5.28.4 or later, which contains fixes for these CVEs.

Can you please reopen this issue?

bourgeoa commented 2 months ago

@paulslauenwhite I re-opended the issue but I should not. I checked rdflib@2.2.35 and it includes a version of http-client that includes undici-5.28.4

# npm ls undici
rdflib@2.2.35 /mnt/d/github/solidos/workspaces/rdflib
└─┬ jsonld@8.3.2
  └─┬ @digitalbazaar/http-client@3.4.1
    └── undici@5.28.4

paulslauenwhite commented 2 months ago

Thanks @bourgeoa. Apologies for the confusion. Upgrading to rdflib@2.2.35 and running yarn install did not upgrade to undici@5.28.4 for me. The work-around:

Remove rdflib@2.2.35.
Run yarn install.
Add rdflib@2.2.35.
Run yarn install.

bourgeoa commented 2 months ago

No apologies. Happy that everything works for you.