Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Resolve babel vulnerability #262

Merged
merged 2 commits into from
Jul 31, 2024
Merged

Resolve babel vulnerability #262

merged 2 commits into from
Jul 31, 2024

Conversation

tijn
Copy link
Collaborator

@tijn tijn commented Jun 26, 2024

What Changed & Why

  • Remove the deprecated istanbul pacakage
  • Install nyc

Dependabot reported a vulnerability in babel-traverse. This in itself is not an issue for this project since we're not compiling code that's specifically crafted by an attacker with it. However, while looking at package-lock-json I found out that the reason for installing babel-traverse is istanbul. And that package has been deprecated. This PR replaces istanbul with nyc.

Bug/Ticket Tracker

https://github.com/devour-js/devour-client/security/dependabot/26

Documentation

https://www.npmjs.com/package/istanbul

Third-Party

nyc - it was recommended by the author of istanbul as its replacement. It also has a permissible ISC license, functionally equivalent to the simplified BSD and MIT licenses.

tijn added 2 commits June 26, 2024 11:24
This also removes the babel-traverse version which is vulnerable to
arbitrary code execution.

istanbul author message:

This module is no longer maintained, try this instead: npm i nyc
Visit https://istanbul.js.org/integrations for other alternatives.

See https://www.npmjs.com/package/istanbul
Another code coverage tool that is recommended by the author of nyc.
@tijn tijn requested a review from auvipy June 26, 2024 09:35
@tijn tijn self-assigned this Jun 26, 2024
@auvipy
Copy link
Collaborator

auvipy commented Jun 26, 2024

Is everything working like before? Do we need to adjust / update tests etc?

@tijn
Copy link
Collaborator Author

tijn commented Jun 27, 2024

Is everything working like before? Do we need to adjust / update tests etc?

@auvipy I looked for it but it seems there was no code directly calling istanbul. As far as I can see it just provided an executable that you can run to gather information about the code, and nyc (allegedly) does the same.

@tijn
Copy link
Collaborator Author

tijn commented Jul 31, 2024

@auvipy shall I merge this pull request?

@auvipy auvipy merged commit 20fde27 into master Jul 31, 2024
3 checks passed
@tijn tijn deleted the babel-vulnerability branch July 31, 2024 13:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants