Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
[Bug] Critical vulnerability in due to outdated dependency `git-url-parse`
See original GitHub issueDescribe the bug
Critical vulnerability related to git-url-parse sub dependency parse-url. It is not possible to fix it in my projects by yarn resolutions since is related to major version upgrades containing Breaking Changes. To fix it, git-url-parse must be upgraded to version 12.
Obs: also high and moderate vulnerabilities are going to be fixed by this dependency upgrade.
Steps to reproduce the behaviour
- clone repo;
- run
yarn; - run
yarn audit;
Expected behaviour
No critical and high vulnerabilities.
Screenshots and/or logs
Environment
- Node.js version: v16.13.1
- NPM version: 8.1.2
Issue Analytics
- State:
- Created a year ago
- Reactions:6
- Comments:6
Top Results From Across the Web
Bug prevents rendering in Safari · Issue #6039 · backstage ...
A recent bump of a nested dependency caused our Backstage instance to fail ... that parse-url has critical vulnerability on this version :(....
Read more >Fixing security vulnerabilities in npm dependencies in less ...
Today when I started working I had to deal with this error where acorn and minimist were being reported as security vulnerabilities.
Read more >github - Proper way to fix potential security vulnerability in a ...
A dependency defined in ./package-lock.json has known security vulnerabilities and should be updated. The dependency is not defined in our ...
Read more >git-url-parse - npm
Start using git-url-parse in your project by running `npm i git-url-parse`. ... Dependencies const GitUrlParse = require("git-url-parse"); ...
Read more >GitHub can now alert of supply-chain bugs in new dependencies
GitHub can now block and alert you of pull requests that introduce new dependencies impacted by known supply chain vulnerabilities.
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Great to see that this dependency update was merged a few weeks ago! 👏 @jimmyandrade is there an upcoming release scheduled that will include that change?
@nedredmond My apologies, there is a separate vulnerability in
parse-urlviagit-parse-urlthat is also a SSRF vulnerability. This is fixed ingit-url-parseversion 13+. I think this might be where the confusion is coming from.