Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[UNSAFE] build: update yarn.lock to fix audit output #3434

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

[UNSAFE] build: update yarn.lock to fix audit output #3434

wants to merge 1 commit into from

Conversation

up-up-and-away[bot]
Copy link

@up-up-and-away up-up-and-away bot commented Nov 30, 2023
edited

We ran uuaw --audit and it resulted in a clean yarn audit.

Attempting to fix advisory: GHSA-c2qf-rxjj-qqgw - semver vulnerable to Regular Expression Denial of Service
Scanning dependency chain:
     lerna --> @lerna/legacy-package-management --> semver
[1/5] Trying from: semver@7.3.8
    Resolving: semver@7.3.8 --> 7.3.8
[1/5] Chain results in vulnerable version: semver@7.3.8
[2/5] Trying from: @lerna/legacy-package-management@6.6.2
    Resolving: @lerna/legacy-package-management@6.6.2 --> 6.6.2
    Resolving: semver@7.3.8 --> 7.3.8
[2/5] Chain results in vulnerable version: semver@7.3.8
[3/5] Trying from: lerna@^6.6.2
    Resolving: lerna@^6.6.2 --> 6.6.2
    Resolving: @lerna/legacy-package-management@6.6.2 --> 6.6.2
    Resolving: semver@7.3.8 --> 7.3.8
[3/5] Chain results in vulnerable version: semver@7.3.8
[4/5] [UNSAFE] Trying from: lerna@^7.0.0
    Resolving: lerna@^7.0.0 --> 7.4.2
[4/5] [UNSAFE] Updating chain to latest starting at: lerna@^7.0.0 results in cutting the known chain
[4/5] [UNSAFE] Running yarn install now

Attempting to fix advisory: GHSA-c2qf-rxjj-qqgw - semver vulnerable to Regular Expression Denial of Service
Scanning dependency chain:
     syncpack --> semver
[1/6] Trying from: semver@7.3.8
    Resolving: semver@7.3.8 --> 7.3.8
[1/6] Chain results in vulnerable version: semver@7.3.8
[2/6] Trying from: syncpack@^8.4.11
    Resolving: syncpack@^8.4.11 --> 8.5.14
    Resolving: semver@7.3.8 --> 7.3.8
[2/6] Chain results in vulnerable version: semver@7.3.8
[3/6] [UNSAFE] Trying from: syncpack@^9.0.0
    Resolving: syncpack@^9.0.0 --> 9.8.6
    Resolving: semver@7.5.0 --> 7.5.0
[3/6] [UNSAFE] Chain results in vulnerable version: semver@7.5.0
[4/6] [UNSAFE] Trying from: syncpack@^10.0.0
    Resolving: syncpack@^10.0.0 --> 10.9.3
    Resolving: semver@7.5.4 --> 7.5.4
[4/6] [UNSAFE] Updating chain to latest starting at: syncpack@^10.0.0 results in a patched version: semver@7.5.4
[4/6] [UNSAFE] Running yarn install now

Audit is clean, looking good cap'n

@up-up-and-away up-up-and-away bot requested a review from a team as a code owner November 30, 2023 15:02
@up-up-and-away up-up-and-away bot force-pushed the auto-uuaw/root branch 2 times, most recently from 6285821 to c382138 Compare December 7, 2023 15:01
@up-up-and-away up-up-and-away bot force-pushed the auto-uuaw/root branch 2 times, most recently from f965381 to e24a95b Compare December 19, 2023 15:01
@up-up-and-away up-up-and-away bot force-pushed the auto-uuaw/root branch 2 times, most recently from bf63ef6 to 4841266 Compare January 10, 2024 15:02
@up-up-and-away up-up-and-away bot force-pushed the auto-uuaw/root branch 2 times, most recently from 2f38472 to 4cf2149 Compare January 19, 2024 15:02
@erikian erikian self-assigned this Jan 19, 2024
@erikian erikian marked this pull request as draft January 19, 2024 16:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@erikian erikian

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@erikian