Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

@uppy/companion depends on vulnerable versions of got and jsonwebtoken #4317

Closed
2 tasks done
stefanhorning opened this issue Feb 13, 2023 · 4 comments
Closed
2 tasks done

@uppy/companion depends on vulnerable versions of got and jsonwebtoken #4317

stefanhorning opened this issue Feb 13, 2023 · 4 comments
Assignees
@mifi
Labels
Companion The auth server (for Instagram, GDrive, etc) and upload proxy (for S3) 🔐 Security

Comments

@stefanhorning
Copy link

stefanhorning commented Feb 13, 2023
edited
Loading

Initial checklist

  • I understand this is a bug report and questions should be posted in the Community Forum
  • I searched issues and couldn’t find anything (or linked relevant results below)

Link to runnable example

No response

Steps to reproduce

  1. Add "@uppy/companion": "^4.2.0" to your package.json (depdendencies section)
  2. Run npm install
  3. Run npm audit

Expected behavior

Dependencies of @uppy/companion do not show up in output of npm audit.

Actual behavior

This output appears:

node_modules/jsonwebtoken
  @uppy/companion  *
  Depends on vulnerable versions of got
  Depends on vulnerable versions of jsonwebtoken

Which also prevents me to upgrade jsonwebtoken to version 9.0.0 in this project, as I planned to do in accordance with GHSA-qwph-4952-7xr6 and GHSA-hjrf-2m68-5959
@arturi arturi added Companion The auth server (for Instagram, GDrive, etc) and upload proxy (for S3) 🔐 Security and removed Bug Triage labels Feb 13, 2023
@mifi
Copy link
Contributor

mifi commented Feb 15, 2023

as for jsonwebtoken, see #4258

as for got, which vulnerabilities does it have? we are on got@11.8.5 which has the latest security fixes, except for this: sindresorhus/got@v11.8.5...v11.8.6
however I believe that is not a security fix

@stefanhorning
Copy link
Author

Hi, thanks for the quick reply!
I mostly opened this issue for the jsonwebtoken case and only mentioned got too as npm audit was complaining about that as well, but it's probably less relevant.

So as far as I am concerned this ticket could be closed with the jsonwebtoken issue already addressed :)

@mifi
Copy link
Contributor

mifi commented Feb 17, 2023

we're planning on making a new major companion version release with jsonwebtoken, but we want to include some more breaking things also

mifi added a commit that referenced this issue Mar 13, 2023
@mifi
upgrade got to 12
ab8cefa 
fixes #4317

also upgrade jest to fix jestjs/jest#13008
This was referenced Mar 13, 2023
Closed
Merged
aduh95 added a commit that referenced this issue Mar 28, 2024
@aduh95
upgrade got to 12
4178e47 
fixes #4317
@mifi
Copy link
Contributor

mifi commented Apr 22, 2024

I believe this can be closed because jsonwebtoken was already upgraded to 9 #4751 and got in #5035

@mifi mifi closed this as completed Apr 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mifi mifi

Labels
Companion The auth server (for Instagram, GDrive, etc) and upload proxy (for S3) 🔐 Security
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

@uppy/companion: upgrade got to 12 transloadit/uppy
3 participants
@mifi @stefanhorning @arturi