Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JS-Yaml Denial of Service in v3.12 #3842

Closed
dannypaz opened this issue Mar 21, 2019 · 4 comments
Closed

JS-Yaml Denial of Service in v3.12 #3842

dannypaz opened this issue Mar 21, 2019 · 4 comments
Labels
area: node.js command-line-or-Node.js-specific area: security involving vulnerabilities semver-patch implementation requires increase of "patch" version number; "bug fixes" type: bug a defect, confirmed by a maintainer
Milestone
v6.1.0

Comments

@dannypaz
Copy link

dannypaz commented Mar 21, 2019
edited
Loading

Just got a vulnerability message from npm on one of my repos using Mocha. Looks like the dep js-yaml needs to be updated from 3.12 to >=3.13

Screen Shot 2019-03-21 at 2 47 01 PM

Link: https://npmjs.com/advisories/788
@elf-mouse
Copy link

+1

@plroebuck plroebuck added type: bug a defect, confirmed by a maintainer semver-patch implementation requires increase of "patch" version number; "bug fixes" area: security involving vulnerabilities area: node.js command-line-or-Node.js-specific and removed unconfirmed-bug labels Mar 22, 2019
@plroebuck plroebuck added this to the v6.1.0 milestone Mar 22, 2019
@Xilis
Copy link

Xilis commented Mar 22, 2019

Fixed in #3843

@mayrbenjamin92
Copy link

When will 6.1.0 be released?

@plroebuck plroebuck mentioned this issue Mar 23, 2019
Merged
@nolanmar511
Copy link

I'm very excited to see this issue is fixed!
I see it's already been asked, but when will 6.1.0 be released?

I use mocha and have npm audit as a presubmit check, and would love to see that check passing again.

This was referenced Mar 28, 2019
Merged
Merged
@JustinBeckwith JustinBeckwith mentioned this issue Mar 31, 2019
Closed
@gchoqueux gchoqueux mentioned this issue Apr 2, 2019
Merged
@AlexZeitler AlexZeitler mentioned this issue Apr 6, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area: node.js command-line-or-Node.js-specific area: security involving vulnerabilities semver-patch implementation requires increase of "patch" version number; "bug fixes" type: bug a defect, confirmed by a maintainer
Projects
None yet
Milestone
v6.1.0
Development

No branches or pull requests
6 participants
@elf-mouse @dannypaz @Xilis @nolanmar511 @plroebuck @mayrbenjamin92