Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Move utf7 encoding primitives to the module codebase #689

Merged
merged 1 commit into from
Aug 28, 2023
Merged

fix: Move utf7 encoding primitives to the module codebase #689

merged 1 commit into from
Aug 28, 2023

Conversation

mykola-mokhnach
Copy link
Contributor

@mykola-mokhnach mykola-mokhnach commented Aug 25, 2023
edited
Loading

The https://www.npmjs.com/package/utf7 package has been released 7 years ago for the last time and thus has vulnerable dependencies:

node_modules/@babel/core/node_modules/semver
node_modules/@babel/helper-compilation-targets/node_modules/semver
node_modules/istanbul-lib-instrument/node_modules/semver
node_modules/make-dir/node_modules/semver
node_modules/npm-run-all/node_modules/semver
node_modules/read-pkg-up/node_modules/semver
node_modules/read-pkg/node_modules/semver
node_modules/utf7/node_modules/semver
  utf7  >=1.0.2
  Depends on vulnerable versions of semver
  node_modules/utf7
    appium-adb  >=7.20.0
    Depends on vulnerable versions of utf7
    node_modules/appium-adb

vm2  *
Severity: critical
vm2 Sandbox Escape vulnerability - https://github.com/advisories/GHSA-cchq-frgv-rjh5
vm2 Sandbox Escape vulnerability - https://github.com/advisories/GHSA-g644-9gfx-q4q4
No fix available

I have ported the actual code from the original module (there's not much) to a local helper file to get rid of vulnerable dependencies

@mykola-mokhnach mykola-mokhnach merged commit 334c0b6 into appium:master Aug 28, 2023
10 of 11 checks passed
github-actions bot pushed a commit that referenced this pull request Aug 28, 2023
@semantic-release-bot
chore(release): 9.14.9 [skip ci]
f9cbfd3 
## [9.14.9](v9.14.8...v9.14.9) (2023-08-28)

### Bug Fixes

* Move utf7 encoding primitives to the module codebase ([#689](#689)) ([334c0b6](334c0b6))

### Miscellaneous Chores

* Bump typescript from 5.0.4 to 5.2.2 ([#688](#688)) ([f3b5be1](f3b5be1))
@github-actions
Copy link

🎉 This PR is included in version 9.14.9 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@KazuCocoa KazuCocoa KazuCocoa approved these changes

@jlipps jlipps Awaiting requested review from jlipps

Assignees
No one assigned
Labels
released
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mykola-mokhnach @KazuCocoa