Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependabot babel #306

Merged
merged 2 commits into from
May 15, 2024
Merged

Dependabot babel #306

merged 2 commits into from
May 15, 2024

Conversation

davidfurey
Copy link
Member

What does this change?

Upgrades loader-utils and webpack to resolve Dependabot vulnerabilities. I missed these in the previous PR, because yarn audit didn't pick up on them.

davidfurey added 2 commits May 15, 2024 08:56
@davidfurey
Bump loader-utils to 1.4.2
b5d5634 
Added `"resolutions": { "**/**/loader-utils": "1.4.2" }` to package.json, ran `yarn install` to update lock file, and then removed this line.

See https://stackoverflow.com/questions/57281107/avoiding-vulnerable-indirect-dependency-with-yarn and https://classic.yarnpkg.com/en/docs/selective-version-resolutions/
@davidfurey
Bump webpack to 5.76.0
c668732 
Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.
@davidfurey davidfurey requested review from twrichards and a team as code owners May 15, 2024 08:01
twrichards
twrichards approved these changes May 15, 2024
View reviewed changes
Copy link
Collaborator

@twrichards twrichards left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

did a quick cursory check in CODE - all looks well

@davidfurey davidfurey merged commit f9ce013 into main May 15, 2024
1 check passed
@davidfurey davidfurey deleted the dependabot-babel branch May 15, 2024 13:16
@prout-bot
Copy link
Collaborator

Seen on PROD (merged by @davidfurey 3 minutes and 12 seconds ago) Please check your changes!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@twrichards twrichards twrichards approved these changes

Assignees
No one assigned
Labels
Seen-on-PROD
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@davidfurey @prout-bot @twrichards