Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[rush] Rush is dependent on a version of got(9.6.0) which has a security vulnerability #3927

Closed
samhristov opened this issue Jan 26, 2023 · 5 comments · Fixed by #3968
Closed

[rush] Rush is dependent on a version of got(9.6.0) which has a security vulnerability #3927

samhristov opened this issue Jan 26, 2023 · 5 comments · Fixed by #3968
Assignees
@TheLarkInn

Comments

@samhristov
Copy link
Contributor

Summary

Rush is dependent on got(9.6.0) There is a security advisory recommending an update

Standard questions

Please answer these questions to help us investigate your issue more quickly:

Question Answer
@microsoft/rush globally installed version? 5.88.2
rushVersion from rush.json? 5.88.2
useWorkspaces from rush.json? yes
Operating system? Windows/Linux
Would you consider contributing a PR? Yes
Node.js version (node -v)? 16.16.0
@TheLarkInn
Copy link
Member

This is coming from package-json/6.5.0. Luckily I found that Sindre patched this before he moved the package to ESM. I'll open a PR in npm-check to update this.

@TheLarkInn
Copy link
Member

I opened dylang/npm-check#499 if there is a release incoming. Blocked on this here. If needed, I could try and pin it with pnpm-config.json with a globalOverride but I'll wait on a response first.

@samhristov
Copy link
Contributor Author

Hey Sean, is it possible to override. I forked the repo and saw that that solved the issue but i saw you guys had no other packages in the globalOverride so i didnt know whether that's conventional to use at all. But if it's possible to release a temporary version with the newer got package. I saw the second ticket you've opened, I see that the package-json package has this as a dependency and that it's fixed, im not too sure but i think there's also a dependency on update-notifier for npm-check which also uses got 9.6.0. Anyway, I dont know if you guys do this but if you could patch it in the global override that would be a big help. Thank you!

@TheLarkInn
Copy link
Member

@samhristov If I don't hear anything by the end of next week from @dylang I'll use the globalOverrides feature. Feel free to bump if you don't hear anything from me in this issue.

@TheLarkInn TheLarkInn linked a pull request Feb 9, 2023 that will close this issue
Manually override package-json to version 7 #3968
Merged
@iclanton iclanton moved this to Closed in Bug Triage Aug 15, 2023
@RichardChen820
Copy link

@TheLarkInn I still got this issue when I was using latest v5.112.1, which the ADO vulnerability scan raised an alert saying got(9.6.0) is not secure.

/common/temp/install-run/@[email protected]/node_modules/got/package.json

I tried add following setting in common-version.json, but does not work

"preferredVersions": {
       "package-json": "~7.0.0"
    },

How can I mitigate this problem?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@TheLarkInn TheLarkInn

Labels
None yet
Projects
Bug Triage
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Manually override package-json to version 7 samhristov/rushstack
3 participants
@TheLarkInn @RichardChen820 @samhristov