Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[scripts-integration-fixtures] Address GitHub detected a vulnerability in the @sveltejs/kit dependency #6943

Merged
merged 1 commit into from
Dec 11, 2024
Merged

[scripts-integration-fixtures] Address GitHub detected a vulnerability in the @sveltejs/kit dependency #6943

merged 1 commit into from
Dec 11, 2024

Conversation

Fetz
Copy link
Contributor

@Fetz Fetz commented Dec 11, 2024

Description

GitHub has identified a security vulnerability in a package dependency @sveltejs/kit:

Steps done:

1. `npm install @sveltejs/kit@^2.8.3 --save-dev` 
npm install @sveltejs/kit@^2.8.3 --save-dev
added 105 packages, and audited 106 packages in 5s

8 vulnerabilities (6 low, 1 moderate, 1 high)
2. `npm audit` 
npm audit
# npm audit report

cookie  <0.7.0
cookie accepts cookie name, path, and domain with out of bounds characters - https://github.com/advisories/GHSA-pxg6-pf52-xh8x
fix available via `npm audit fix --force`
Will install @sveltejs/[email protected], which is a breaking change
node_modules/cookie
  @sveltejs/kit  >=1.0.0-next.0
  Depends on vulnerable versions of cookie
  node_modules/@sveltejs/kit
    @sveltejs/adapter-auto  >=1.0.0-next.0
    Depends on vulnerable versions of @sveltejs/kit
    node_modules/@sveltejs/adapter-auto
    @sveltejs/adapter-node  >=1.0.0-next.0
    Depends on vulnerable versions of @sveltejs/kit
    node_modules/@sveltejs/adapter-node
    @sveltejs/adapter-static  >=1.0.0-next.0
    Depends on vulnerable versions of @sveltejs/kit
    node_modules/@sveltejs/adapter-static

nanoid  <3.3.8
Infinite loop in nanoid - https://github.com/advisories/GHSA-mwcw-c2x4-8c55
fix available via `npm audit fix`
node_modules/nanoid

rollup  4.0.0 - 4.22.3
Severity: high
DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS - https://github.com/advisories/GHSA-gcx4-mw62-g8wm
fix available via `npm audit fix`
node_modules/rollup

vite  5.2.0 - 5.2.13
Severity: moderate
Vite's `server.fs.deny` is bypassed when using `?import&raw` - https://github.com/advisories/GHSA-9cwx-2883-4wfx
Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS - https://github.com/advisories/GHSA-64vr-g452-qvp3
fix available via `npm audit fix`
node_modules/vite

8 vulnerabilities (6 low, 1 moderate, 1 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force
3. `npm audit fix rollup` 
npm audit fix rollup
added 2 packages, removed 11 packages, changed 16 packages, and audited 97 packages in 2s

11 packages are looking for funding
  run `npm fund` for details

# npm audit report

cookie  <0.7.0
cookie accepts cookie name, path, and domain with out of bounds characters - https://github.com/advisories/GHSA-pxg6-pf52-xh8x
fix available via `npm audit fix --force`
Will install @sveltejs/[email protected], which is a breaking change
node_modules/cookie
  @sveltejs/kit  >=1.0.0-next.0
  Depends on vulnerable versions of cookie
  node_modules/@sveltejs/kit
    @sveltejs/adapter-auto  >=1.0.0-next.0
    Depends on vulnerable versions of @sveltejs/kit
    node_modules/@sveltejs/adapter-auto
    @sveltejs/adapter-node  >=1.0.0-next.0
    Depends on vulnerable versions of @sveltejs/kit
    node_modules/@sveltejs/adapter-node
    @sveltejs/adapter-static  >=1.0.0-next.0
    Depends on vulnerable versions of @sveltejs/kit
    node_modules/@sveltejs/adapter-static

5 low severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

Test plan

see automated tests

Before

No visual changes

After

No visual changes

@Fetz Fetz added the dependencies Pull requests that update a dependency file label Dec 11, 2024
@vercel Vercel
Copy link

vercel bot commented Dec 11, 2024

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
lexical ✅ Ready (Inspect) Visit Preview 💬 Add feedback Dec 11, 2024 4:21pm
lexical-playground ✅ Ready (Inspect) Visit Preview 💬 Add feedback Dec 11, 2024 4:21pm

@facebook-github-bot facebook-github-bot added the CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. label Dec 11, 2024
@github-actions GitHub Actions
Copy link

size-limit report 📦

Path Size
lexical - cjs 31.18 KB (0%)
lexical - esm 31 KB (0%)
@lexical/rich-text - cjs 40.15 KB (-0.03% 🔽)
@lexical/rich-text - esm 32.83 KB (0%)
@lexical/plain-text - cjs 38.79 KB (0%)
@lexical/plain-text - esm 30.15 KB (0%)
@lexical/react - cjs 42 KB (0%)
@lexical/react - esm 34.23 KB (0%)

@Fetz Fetz marked this pull request as ready for review December 11, 2024 16:49
@ivailop7 ivailop7 added this pull request to the merge queue Dec 11, 2024
Merged via the queue into main with commit 6243c4b Dec 11, 2024
43 of 44 checks passed
@ivailop7 ivailop7 deleted the svelte-upgrade-2 branch December 11, 2024 20:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ivailop7 ivailop7 ivailop7 approved these changes

@zurfyx zurfyx Awaiting requested review from zurfyx zurfyx is a code owner

@fantactuka fantactuka Awaiting requested review from fantactuka fantactuka is a code owner

@acywatson acywatson Awaiting requested review from acywatson acywatson is a code owner

@Sahejkm Sahejkm Awaiting requested review from Sahejkm Sahejkm is a code owner

@potatowagon potatowagon Awaiting requested review from potatowagon potatowagon is a code owner

Assignees
No one assigned
Labels
CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Fetz @ivailop7 @facebook-github-bot