Skip to content

Fix critical security vulnerabilities#98

Open
karlhorky wants to merge 20 commits intoSparkPost:masterfrom
karlhorky:master
Open

Fix critical security vulnerabilities#98
karlhorky wants to merge 20 commits intoSparkPost:masterfrom
karlhorky:master

Conversation

@karlhorky
Copy link

@karlhorky karlhorky commented Jan 31, 2020
edited
Loading

Hi there, first of all, thanks for this project! Nice to see work being done in the email ecosystem :)

There are a number of security vulnerabilities in the old dependencies here.

This pull request fixes some of the easier ones (fixed via npm audit fix) and also the critical vulnerability in open.

This is also affecting other projects which depend on heml, such as this one where I have been contributing:

Jinksi/netlify-cms-react-starter#26 (comment)

cc @jgzamora @avigoldman @shrirupa @gfriedmansp @nicklemmon

dependabot bot and others added 18 commits January 31, 2020 10:16
@dependabot
Bump lodash from 4.17.4 to 4.17.13 in /packages/heml-render
f528be4 
Bumps [lodash](https://github.com/lodash/lodash) from 4.17.4 to 4.17.13.
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.17.4...4.17.13)

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
Bump lodash from 4.17.4 to 4.17.13 in /packages/heml-validate
1d0feba 
Bumps [lodash](https://github.com/lodash/lodash) from 4.17.4 to 4.17.13.
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.17.4...4.17.13)

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
Bump lodash from 4.17.4 to 4.17.13 in /packages/heml-utils
72b309f 
Bumps [lodash](https://github.com/lodash/lodash) from 4.17.4 to 4.17.13.
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.17.4...4.17.13)

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
Bump lodash from 4.17.4 to 4.17.13 in /packages/heml-styles
6ecf619 
Bumps [lodash](https://github.com/lodash/lodash) from 4.17.4 to 4.17.13.
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.17.4...4.17.13)

Signed-off-by: dependabot[bot] <support@github.com>
@karlhorky
Fix critical security vulnerabilities
c75df42
@dependabot
Bump lodash from 4.17.4 to 4.17.13 in /packages/heml-inline
6be661c 
Bumps [lodash](https://github.com/lodash/lodash) from 4.17.4 to 4.17.13.
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.17.4...4.17.13)

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
Bump lodash from 4.17.4 to 4.17.13 in /packages/heml-parse
33b8a2b 
Bumps [lodash](https://github.com/lodash/lodash) from 4.17.4 to 4.17.13.
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.17.4...4.17.13)

Signed-off-by: dependabot[bot] <support@github.com>
@karlhorky
Merge pull request SparkPost#8 from karlhorky/dependabot/npm_and_yarn…
ef49d75 
…/packages/heml-inline/lodash-4.17.13

Bump lodash from 4.17.4 to 4.17.13 in /packages/heml-inline
@karlhorky
Merge pull request SparkPost#1 from karlhorky/dependabot/npm_and_yarn…
0e49a04 
…/packages/heml-render/lodash-4.17.13

Bump lodash from 4.17.4 to 4.17.13 in /packages/heml-render
@karlhorky
Bump lodash from 4.17.4 to 4.17.13 in /packages/heml-validate (SparkP…
f7814e1 
…ost#3)

Bump lodash from 4.17.4 to 4.17.13 in /packages/heml-validate
@karlhorky
Bump lodash from 4.17.4 to 4.17.13 in /packages/heml-utils (SparkPost#4)
5a9eb73 
Bump lodash from 4.17.4 to 4.17.13 in /packages/heml-utils
@karlhorky
Bump lodash from 4.17.4 to 4.17.13 in /packages/heml-styles (SparkPost#5
c203b16 
)

Bump lodash from 4.17.4 to 4.17.13 in /packages/heml-styles
@karlhorky
Bump lodash from 4.17.4 to 4.17.13 in /packages/heml-parse (SparkPost#7)
949a88d 
Bump lodash from 4.17.4 to 4.17.13 in /packages/heml-parse
@karlhorky
Auto-fix npm audit vulnerabilities
257965f
@dependabot
Bump nwmatcher from 1.4.3 to 1.4.4
366d2d5 
Bumps [nwmatcher](https://github.com/dperini/nwmatcher) from 1.4.3 to 1.4.4.
- [Release notes](https://github.com/dperini/nwmatcher/releases)
- [Commits](https://github.com/dperini/nwmatcher/commits)

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
Bump diff from 3.4.0 to 3.5.0
5e049be 
Bumps [diff](https://github.com/kpdecker/jsdiff) from 3.4.0 to 3.5.0.
- [Release notes](https://github.com/kpdecker/jsdiff/releases)
- [Changelog](https://github.com/kpdecker/jsdiff/blob/master/release-notes.md)
- [Commits](kpdecker/jsdiff@v3.4.0...v3.5.0)

Signed-off-by: dependabot[bot] <support@github.com>
@karlhorky
Merge pull request SparkPost#10 from karlhorky/dependabot/npm_and_yar…
ed4a4ae 
…n/nwmatcher-1.4.4

Bump nwmatcher from 1.4.3 to 1.4.4
@karlhorky
Bump diff from 3.4.0 to 3.5.0 (SparkPost#11)
bef30a1 
Bump diff from 3.4.0 to 3.5.0
@karlhorky karlhorky mentioned this pull request Jan 31, 2020
Merged
@karlhorky
Copy link
Author

karlhorky commented Jan 31, 2020

cc @jgzamora @avigoldman @shrirupa @gfriedmansp @nicklemmon

jgzamora
jgzamora approved these changes Feb 19, 2020
View reviewed changes
Copy link

@jgzamora jgzamora left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the PR @karlhorky , LGTM! I'm not super used to working on this project so it might take me a bit to ramp up on the publishing process. Once I figure it out I will merge and publish

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@jgzamora jgzamora jgzamora approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@karlhorky @jgzamora