Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

path-to-regexp dependency vuln fix #1430

Merged
merged 1 commit into from
Dec 16, 2024
Merged

path-to-regexp dependency vuln fix #1430

merged 1 commit into from
Dec 16, 2024

Conversation

rBangay
Copy link
Contributor

@rBangay rBangay commented Dec 16, 2024

What does this PR change?

Bump relevant peer dependencies in order to bump the version of path-to-regexp that the project uses to a patched version.

Fixes the vulnerabilities reported by snyk and dependabot:
https://app.snyk.io/org/guardian-value/project/8acda083-6b55-431d-a2e0-a985b2349e78#issue-SNYK-JS-PATHTOREGEXP-8482416

@rBangay rBangay requested a review from a team December 16, 2024 14:13
MaelGNM
MaelGNM approved these changes Dec 16, 2024
View reviewed changes
Copy link
Contributor

@MaelGNM MaelGNM left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

johnduffell
johnduffell reviewed Dec 16, 2024
View reviewed changes
package.json
@@ -145,7 +145,7 @@
"@emotion/react": "11.11.1",
"@guardian/ab-core": "2.0.0",
"@guardian/ab-react": "2.0.1",
"@guardian/commercial": "23.7.4",
"@guardian/commercial": "^23.7.5",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what does the extra ^ thing do?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

according to google it lets it automatically update the minor and patch version. But isn't that what package.json is supposed to prevent?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if you don't use the caret then yes. If you have confidence that minor version bumps won't break anything then you can add the caret and let npm/yarn install the latest in the line of minor versions

@rBangay rBangay merged commit 6162a6f into main Dec 16, 2024
13 checks passed
@rBangay rBangay deleted the path-to-regexp-vuln-fix branch December 16, 2024 14:42
@prout-bot
Copy link
Collaborator

Seen on PROD (merged by @rBangay 9 minutes and 39 seconds ago) Please check your changes!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@johnduffell johnduffell johnduffell left review comments

@MaelGNM MaelGNM MaelGNM approved these changes

Assignees
No one assigned
Labels
Seen-on-PROD
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@rBangay @prout-bot @johnduffell @MaelGNM