Comments (11)
I think the issue with the template may have arisen because I pressed the "new issue" button when I was not logged in. I was then redirected via an authentication mechanism, which maybe didn't end up at quite the same destination as I would have reached had I started off being logged in.
from retire.js.
Sorry to reopen, but having tested this, I don't think this change is sufficient.
Although you updated package-lock.json, that's not a file you should be changing manually - you should only be committing it when it has been updated after you make changes to package.json, and rerun npm install
.
Any project that depends on retire still gets the vulnerable version of vm2, because it uses your unchanged package.json to work out the dependencies. At the moment, I don't think there is an available proxy-agent version that you can specify in package.json that will fix this.
from retire.js.
Did you delete the template or did the issue turn up like this?
from retire.js.
I was presented with a blank issue to fill in - no template appeared.
from retire.js.
I am asking because there is no version number in this bug report, and vm2 was bumped to 3.9.15 in 37c4841#diff-fe08a25452e458b30a1a03997ba261f52747279013dea03225131aee67a56d2cR3116
from retire.js.
That sounds like it should fix the issue (though there is actually a 3.9.16 now available).
My apologies for not spotting the version 4.1.1 - that's just a tag, not a release
from retire.js.
4.1.1 is released to npm as well. Also fixed in version 3.2.4 46f694c#diff-fe08a25452e458b30a1a03997ba261f52747279013dea03225131aee67a56d2cR2202
from retire.js.
Itβs weird you didnt get a template. This is what I see
from retire.js.
Oh, and thanks for reporting anyways! π
from retire.js.
That's a good point. I did not manually change package-lock.json
, but updated it using npm audit fix
.
But I think the problem is that pacakge-lock.json
is not included in the npm package, so that fix never makes it.
I'll probably have to manual add those dependencies to update them, which is... annoying...
from retire.js.
# docker run -w /tmp --entrypoint /bin/sh --rm -it node:alpine -c "npm install retire ; npm audit ; npm ls --depth 10 | grep vm2"
added 66 packages in 2s
1 package is looking for funding
run `npm fund` for details
npm notice
npm notice New patch version of npm available! 9.6.3 -> 9.6.4
npm notice Changelog: https://github.com/npm/cli/releases/tag/v9.6.4
npm notice Run npm install -g [email protected] to update!
npm notice
found 0 vulnerabilities
| | | | `-- [email protected]
Note specifically that npm audit
returns found 0 vulnerabilities
and that vm2 is on version 3.9.16
which is the latest.
from retire.js.
Related Issues (20)
- Retire not generating correct purl when creating cyclonedx bom
- Can retire generate cyclonedx SBOM for all the js scanned and not just vulnerable js HOT 4
- Can retire generate cyclonedx SBOM with license of library HOT 1
- purl of moment.js is still wrong
- purl generated for few components as part cyclonedx BOM is incorrect HOT 1
- purl for datatables incorrect
- Complete type definitions for npm package HOT 4
- Require Support HOT 9
- Bug in JSZip extractor
- --ignore does not ignore given application subdirectory HOT 3
- --outputformat json flag doesn't seem to work HOT 12
- False Positive of momentjs cve-2022-24785 HOT 4
- Invalid jsrepository.json HOT 2
- wrong package version is being reported for lodash HOT 2
- Upstream code from third party maintained browser plugins HOT 3
- Add Mathjax to the repository HOT 2
- Unable to build Chrome Extension HOT 5
- False positive with axios and version string inside comments in axios-mock-adapter HOT 1
- retire js doesnot detect pdfjs
- retirejs doesnot detect pdfobject.js
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from retire.js.