Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: bump CLI dependencies to use patched @snyk/lodash #1093

Merged
merged 1 commit into from
Apr 30, 2020
Merged

feat: bump CLI dependencies to use patched @snyk/lodash #1093

merged 1 commit into from
Apr 30, 2020

Conversation

lili2311
Copy link
Contributor

@lili2311 lili2311 commented Apr 29, 2020
edited by gitphill
Loading

  • Ready for review
  • Follows CONTRIBUTING rules
  • Reviewed by Snyk internal team

What does this PR do?

Bump CLI dependencies to use non-vulnerable forked version of lodash or remove it entirely.
As part of this fix all transitives that rely on lodash have been updated to use non-vulnerable @snyk/lodash instead

Links

@lili2311 lili2311 requested a review from a team as a code owner April 29, 2020 14:54
@lili2311 lili2311 self-assigned this Apr 29, 2020
@ghost ghost requested review from anthogez and ekbsnyk April 29, 2020 14:54
@lili2311 lili2311 force-pushed the feat/bump-deps-to-use-patched-lodash branch from 3e98f05 to 46a49c2 Compare April 29, 2020 14:58
@lili2311 lili2311 changed the title feat: bump snyk-mvn-plugin that uses patched lodash feat: bump CLI dependencies to use patched @snyk/lodash Apr 29, 2020
@joeholdcroft joeholdcroft force-pushed the feat/bump-deps-to-use-patched-lodash branch from dc11f22 to adbb303 Compare April 29, 2020 16:23
anthogez
anthogez reviewed Apr 29, 2020
View reviewed changes
Copy link
Member

@anthogez anthogez left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What do you think the solution below? 🤔

import { loadConfig } from 'snyk-config'; 
export const config: any = loadConfig(__dirname + '../..');

Btw good job on the lodash changes 💯

anthogez
anthogez previously approved these changes Apr 29, 2020
View reviewed changes
@lili2311
Copy link
Contributor Author

@anthogez we could go with any but then we lose all types which we have types for that

@lili2311 lili2311 force-pushed the feat/bump-deps-to-use-patched-lodash branch 2 times, most recently from b041f27 to 1a826c3 Compare April 29, 2020 20:17
This was referenced Apr 29, 2020
Merged
Merged
Merged
Merged
Merged
Merged
@gitphill gitphill force-pushed the feat/bump-deps-to-use-patched-lodash branch from 201f6ea to 2885e61 Compare April 30, 2020 11:48
@lili2311
feat: patching vulnerable lodash with @snyk/lodash
c359e05 
Vulnerability in lodash@4.17.15
No fix available so using @snyk/lodash

Using @snyk/inquirer and @snyk/graphlib because of transitive
dependencies on vulnerable lodash

Bump to snyk internal packages that include lodash patch
@joeholdcroft joeholdcroft force-pushed the feat/bump-deps-to-use-patched-lodash branch from 2885e61 to c359e05 Compare April 30, 2020 12:16
@joeholdcroft joeholdcroft merged commit d7ebe15 into master Apr 30, 2020
@joeholdcroft joeholdcroft deleted the feat/bump-deps-to-use-patched-lodash branch April 30, 2020 12:34
@snyksec
Copy link

snyksec commented Apr 30, 2020

🎉 This PR is included in version 1.316.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gitphill gitphill gitphill approved these changes

@anthogez anthogez anthogez left review comments

@ekbsnyk ekbsnyk Awaiting requested review from ekbsnyk

Assignees

@lili2311 lili2311

Labels
released
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@lili2311 @snyksec @gitphill @anthogez @joeholdcroft