Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Security upgrade lerna from 3.15.0 to 3.18.0 #314

Merged
merged 2 commits into from
Jun 3, 2020

Conversation

snyk-bot
Copy link
Contributor

@snyk-bot snyk-bot commented Jun 2, 2020

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

merge advice

✨What is Merge Advice? We check thousands of dependency upgrade pull requests and CI tests every day to see which upgrades were successfully merged. After crunching this data, we give a recommendation on how safe we think the change is for you to merge without causing issues. Learn more, and share your feedback to help improve this feature. 🙏

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:

    • package.json
    • package-lock.json
  • Adding or updating a Snyk policy (.snyk) file; this file is required in order to apply Snyk vulnerability patches.
    Find out more.

Vulnerabilities that will be fixed

With an upgrade:
Severity Issue Breaking Change Exploit Maturity
medium severity Prototype Pollution
SNYK-JS-YARGSPARSER-560381
No Proof of Concept
Commit messages
Package name: lerna The new version differs by 141 commits.
  • 0ea8fb1 chore(release): v3.18.0
  • 31eff33 chore: reset lockfile
  • ccf32e1 feat(package-graph): Deprecate method `pruneCycleNodes()`
  • d4912c9 refactor(package-graph): Split classes into separate files
  • 31ad11e chore: Upgrade eslint + plugins
  • ec95403 feat: Remove unused @lerna/run-parallel-batches
  • d136fb5 feat: Remove unused @lerna/batch-packages
  • f2c3a92 feat(filter-options): Rename `--include-filtered-*` options
  • 73badee feat(filter-options): Use figgy-pudding in getFilteredPackages()
  • ff50e29 feat(filter-options): Add `--exclude-dependents` option
  • 54dca56 fix(bootstrap): Move all filter logging into get-filtered-packages method
  • a706023 feat(filter-options): Allow command to continue if no packages are matched (#2280)
  • 5e60213 feat: Upgrade to yargs@14
  • ac8385d fix(options): Explicit `--use-workspaces`
  • 6948a11 fix(options): Explicit `--force-local`
  • 1d9552c fix(options): Explicit `--pre-dist-tag`
  • 343a751 fix(options): Explicit `--force-publish`
  • f3581ae fix(options): Explicit `--conventional-prerelease`
  • f73e6ed fix(options): Explicit `--conventional-graduate`
  • efcb3bd fix(options): Explicit `--ignore-scripts`
  • fa21723 fix(options): Explicit `--ignore-prepublish`
  • f2c8ab3 test: Add prepublish to lifecycle leaf
  • 276682b chore: Add options argument to run-lifecycle mock
  • b822060 docs: Add `command.publish.registry` example (#2300)

See the full diff

With a Snyk patch:
Severity Issue Exploit Maturity
medium severity Prototype Pollution
SNYK-JS-LODASH-567746
Proof of Concept

Check the changes in this PR to ensure they won't cause issues with your project.


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381


The following vulnerabilities are fixed with a Snyk patch:
- https://snyk.io/vuln/SNYK-JS-LODASH-567746
@snyk-bot snyk-bot requested a review from a team June 2, 2020 05:48
package.json Outdated
"snyk-protect": "snyk protect",
"prepare": "npm run snyk-protect"
},
"dependencies": {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should it be not a devDependency?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since this is the root of a monorepo it doesn't impact much, but yes.

@bingenito
Copy link
Member

I'm closing this w/o merge and removing snyk integration in favor of GitHub dependabot and security checks. It doesn't look like a 1:1 move from greenkeeper for raising awareness of breaking changes so it adds little value until that is investigated further.

@bingenito bingenito closed this Jun 2, 2020
@bingenito bingenito reopened this Jun 2, 2020
@bingenito
Copy link
Member

@Morgan-Stanley/desktopjs-core I moved snyk to devDependencies. Since I did a commit on this I need one of you to please approve pending build success.

Copy link
Contributor

@Sly1024 Sly1024 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have no idea about the .snyk file, but package.json looks good to me.

@bingenito bingenito merged commit 18fdd29 into master Jun 3, 2020
@bingenito bingenito deleted the snyk-fix-35f87a868a7aba9e1fe060dc6eb17dcb branch June 4, 2020 21:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants