πŸ’Ž PREMIUM: WordPress/twentynineteen/pull/ - High Quality

Skip to content
This repository was archived by the owner on Jan 15, 2019. It is now read-only.
allancole merged 3 commits into from
Nov 27, 2018
Merged

Fix critical GitHub security issue #675

allancole merged 3 commits into from
Nov 27, 2018

Conversation

@allancole

This PR addresses a critical security issue found in a dependency related to our build script.

Fix critical GitHub security issue
f121fb0 
- Downgrade event-stream dependency to 3.3.4
- Remove all references to flatmap-stream dependency
- See github warning for more info: dominictarr/event-stream#116
Removing all event-stream references to completely remove flatmap-str…
6becd8d 
…eam vulnerability
@allancole allancole added bug Something isn't working in progress high priority labels Nov 27, 2018
@allancole allancole added this to the 5.0 milestone Nov 27, 2018
@TwoAbove

@allancole Pretty sure that the recommendation is version 3.3.4, not 3.3.5

@allancole

@TwoAbove I went ahead an just removed it entirely. This seemed to have no negative effects on the build script.

Please test this and let me know if you discover any issues with it being removed completely :-)

@TwoAbove

@allancole Let me clone and check

@TwoAbove

@allancole
Looks good!

twoabove@MantaRay-u:/media/twoabove/SSD/Work/twentynineteen$ npm ls event-stream flatmap-stream
[email protected] /media/twoabove/SSD/Work/twentynineteen
└─┬ [email protected]
  └─┬ [email protected]
    └── [email protected]

TwoAbove
TwoAbove

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://www.npmjs.com/package/npm-run-all is the culprit: updating to version 4.1.5 removed the malicious dependency

@TwoAbove

@allancole https://www.npmjs.com/package/npm-run-all pulls flatmap-stream. Updating to 4.1.5 fixes that

(Sorry for the spam. Trying to help fix most of the stuff that we depend on even indirectly)

@ntwb

Bumping npm-run-all to 4.1.5 should resolve the issue (I've done this myself on various repos yesterday).

Aside: To get a "safe" version of events-stream it must be bumped to at least 4.x

@allancole

Should be all fixed in that last commit @TwoAbove @ntwb πŸ‘

ntwb

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM πŸ‘

@allancole allancole merged commit 2a08a3f into master Nov 27, 2018
@kjellr kjellr deleted the fix/critical-github-security-issue branch November 30, 2018 15:14
pento pushed a commit to WordPress/wordpress-develop that referenced this pull request Nov 30, 2018
Updating Twenty Nineteen, our new default theme for 2019, set for 5.0.
6a43a9f 
This changes fixes a security issue found in a dependency script used in our build tool. 

- The malicious dependency is now removed and no longer called when running `npm install` or `npm run build`. 
- More info here: WordPress/twentynineteen#675

Props allancole, kjellr, netweb, twoabove.


git-svn-id: https://develop.svn.wordpress.org/branches/5.0@43956 602fd350-edb4-49c9-b593-d223f7449a82
markjaquith pushed a commit to markjaquith/WordPress that referenced this pull request Nov 30, 2018
Updating Twenty Nineteen, our new default theme for 2019, set for 5.0.
e24f0eb 
This changes fixes a security issue found in a dependency script used in our build tool. 

- The malicious dependency is now removed and no longer called when running `npm install` or `npm run build`. 
- More info here: WordPress/twentynineteen#675

Props allancole, kjellr, netweb, twoabove.

Built from https://develop.svn.wordpress.org/branches/5.0@43956


git-svn-id: http://core.svn.wordpress.org/branches/5.0@43788 1a063a9b-81f0-0310-95a4-ce76da25c4cd
gMagicScott pushed a commit to gMagicScott/core.wordpress-mirror that referenced this pull request Nov 30, 2018
Updating Twenty Nineteen, our new default theme for 2019, set for 5.0.
a153806 
This changes fixes a security issue found in a dependency script used in our build tool. 

- The malicious dependency is now removed and no longer called when running `npm install` or `npm run build`. 
- More info here: WordPress/twentynineteen#675

Props allancole, kjellr, netweb, twoabove.

Built from https://develop.svn.wordpress.org/branches/5.0@43956


git-svn-id: https://core.svn.wordpress.org/branches/5.0@43788 1a063a9b-81f0-0310-95a4-ce76da25c4cd
miya0001 pushed a commit to cjk4wp/wordpress that referenced this pull request Dec 4, 2018
Updating Twenty Nineteen, our new default theme for 2019, set for 5.0.
104e260 
This changes fixes a security issue found in a dependency script used in our build tool. 

- The malicious dependency is now removed and no longer called when running `npm install` or `npm run build`. 
- More info here: WordPress/twentynineteen#675

Props allancole, kjellr, netweb, twoabove.


git-svn-id: http://develop.svn.wordpress.org/branches/5.0@43956 602fd350-edb4-49c9-b593-d223f7449a82
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

2 more reviewers

@TwoAbove TwoAbove TwoAbove requested changes

@ntwb ntwb ntwb approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

bug Something isn't working high priority in progress

Projects

None yet

Milestone

5.0

Development

Successfully merging this pull request may close these issues.

4 participants

@allancole @TwoAbove @ntwb
πŸ”₯ TRENDING HENTAI
Updates loading...
© 2024 Sarada Gallery - 18+ Only