search

mathiasbynens / punycode.js

A robust Punycode converter that fully complies to RFC 3492 and RFC 5891.
https://mths.be/punycode
MIT License
1.59k stars 158 forks source link

Dependency upgrades for mitigating a vulnerability #128

Closed KoenDG closed 1 year ago

KoenDG commented 1 year ago

The codecov package had a vulnerability.

The istanbul package is no longer maintained. The project recommends switching to the nyc package, which was done.

The vulnerabilty, as per npm audit:

Severity: high
Command injection in codecov (npm package) - https://github.com/advisories/GHSA-xp63-6vf5-xf3v
codecov NPM module allows remote attackers to execute arbitrary commands - https://github.com/advisories/GHSA-5q88-cjfq-g2mh
Improper Neutralization of Special Elements in Output Used by a Downstream Component in Codecov - https://github.com/advisories/GHSA-mh2h-6j8q-x246
fix available via `npm audit fix --force`
Will install codecov@3.8.3, which is a breaking change
node_modules/codecov

Tests ran, all passed locally.

mathiasbynens commented 1 year ago

Thanks!