Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security: Pinned colors library to 1.4.0 #488

Merged
merged 4 commits into from
Jan 10, 2022
Merged

Security: Pinned colors library to 1.4.0 #488

merged 4 commits into from
Jan 10, 2022

Conversation

plocket
Copy link
Collaborator

@plocket plocket commented Jan 10, 2022
edited
Loading

Because it's a security issue, I already published it. I think. I'd love a double check on this because I published before I committed and I don't recall if that flow is sufficient. I'm just going to check it myself. Faster that way.

See https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/

We don't use other libraries mentioned in there, so we're good on those.

@plocket plocket added bug Something isn't working in a deployed feature ! priority A combination of urgency and impact labels Jan 10, 2022
@plocket plocket marked this pull request as draft January 10, 2022 14:35
@plocket
Copy link
Collaborator Author

plocket commented Jan 10, 2022

Draft until we can test the action. See #489.

@plocket
Update our action as depedents need the fix in their json too
9d89739 
This won't fix this for all our dependents because most of them
don't use the action, but this will fix it for those that use the
action.
@plocket
Update package.json and package-lock.json to match the new version
d4f2b02
BryceStevenWilley
BryceStevenWilley approved these changes Jan 10, 2022
View reviewed changes
Copy link
Collaborator

@BryceStevenWilley BryceStevenWilley left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes here LGTM.

@plocket plocket marked this pull request as ready for review January 10, 2022 18:46
@plocket
Copy link
Collaborator Author

plocket commented Jan 10, 2022
edited
Loading

Confirmed as working at https://github.com/plocket/docassemble-CompositeActionsTest/actions/runs/1678835970. This is for v3, so I'm going to make the same change in v4. I might do special admin magic to be able to merge it myself [with these PR changes for reference].

@plocket plocket merged commit d1cc76c into releases/v3 Jan 10, 2022
@plocket plocket deleted the hotfix_pin_colors_lib branch January 10, 2022 18:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@BryceStevenWilley BryceStevenWilley BryceStevenWilley approved these changes

Assignees
No one assigned
Labels
bug Something isn't working in a deployed feature ! priority A combination of urgency and impact
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@plocket @BryceStevenWilley