Update latest-version + update-notifier packages

opticdev / optic

OpenAPI linting, diffing and testing. Optic helps prevent breaking changes, publish accurate documentation and improve the design of your APIs.

https://useoptic.com

MIT License

1.35k stars 79 forks source link

Update latest-version + update-notifier packages #2414

Open juliangrube1988 opened 11 months ago

juliangrube1988 commented 11 months ago

Describe the bug Optic v0.50.10 depends on vulnerable version of latest-version.

To Reproduce Steps to reproduce the behavior:

npm install @useoptic/optic
npm audit

Expected behavior latest-version > 5.1.0

Details (please complete the following information):

Optic v0.50.10

latest-version  0.2.0 - 5.1.0
Depends on vulnerable versions of package-json
node_modules/latest-version
  @useoptic/optic  >=0.36.6-0
  Depends on vulnerable versions of latest-version
  Depends on vulnerable versions of update-notifier
  node_modules/@useoptic/optic
  update-notifier  0.2.0 - 5.1.0
  Depends on vulnerable versions of latest-version
  node_modules/update-notifier

notnmeyer commented 11 months ago

https://github.com/advisories/GHSA-pfrx-2q88-qq97

unless i'm mistaken, it looks like there's actually a few packages here to sort out,

➜ npm audit
# npm audit report

got  <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install @useoptic/optic@0.47.7, which is a breaking change
node_modules/got
  package-json  <=6.5.0
  Depends on vulnerable versions of got
  node_modules/package-json
    latest-version  0.2.0 - 5.1.0
    Depends on vulnerable versions of package-json
    node_modules/latest-version
      @useoptic/optic  >=0.36.6-0
      Depends on vulnerable versions of latest-version
      Depends on vulnerable versions of update-notifier
      node_modules/@useoptic/optic
      update-notifier  0.2.0 - 5.1.0
      Depends on vulnerable versions of latest-version
      node_modules/update-notifier

5 moderate severity vulnerabilities

To address all issues (including breaking changes), run:

juliangrube1988 commented 11 months ago

Will you create a new Release for this? Yesterdays version 0.50.12 does not include those changes

niclim commented 11 months ago

Hi, I just released 0.50.13 which includes this change

juliangrube1988 commented 11 months ago

Thanks but the issue still persits with version 0.50.13:

node_modules/got
  package-json  <=6.5.0
  Depends on vulnerable versions of got
  node_modules/package-json
    latest-version  0.2.0 - 5.1.0
    Depends on vulnerable versions of package-json
    node_modules/latest-version
      update-notifier  0.2.0 - 5.1.0
      Depends on vulnerable versions of latest-version
      node_modules/update-notifier
        @useoptic/optic  >=0.36.6-0
        Depends on vulnerable versions of update-notifier
        node_modules/@useoptic/optic

5 moderate severity vulnerabilities

notnmeyer commented 11 months ago

@juliangrube1988 please try 0.50.14,

➜ cat package.json
{
  "dependencies": {
    "@useoptic/optic": "^0.50.14"
  }
}

➜ npm audit
found 0 vulnerabilities

niclim commented 11 months ago

Hey, sorry we had to revert these changes - the newer packages are ESM only, which we need to spend some time to figure out on how to support