Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
GitHub has notified me that minimist, one of our JS dependencies, has a vulnerability: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7598
Proposed resolution
Bump minimist from 1.2.0 to 1.2.5 in package.json and yarn.lock.
Remaining tasks
Patch, rebuild JS, commit
User interface changes
None
API changes
None
Data model changes
None
Release notes snippet
Comment | File | Size | Author |
---|---|---|---|
#13 | 3120494-13.patch | 1.11 KB | jungle |
#3 | 3120494.patch | 1.11 KB | longwave |
Comments
Comment #2
longwaveComment #3
longwaveWhoops, wrong patch
Comment #4
longwaveComment #5
jungleChanges are only made to the package minimist and looks good to me, so I would RTBC it.
Comment #6
catchComment #7
jungleThe locked version is 1.2.5, not 1.2.2, so I am changing the title. Would you update the version in package.json too?
Comment #8
longwaveI think it is OK to specify a minimum version in package.json and have a higher version in the lock, this happens with Composer packages too. Improving the title a bit and setting back to RTBC.
Comment #9
jungleThanks! RTBC +1. BTW, #3 is the right patch. even though the comment is "Whoops, wrong patch"
Comment #10
alexpottCan we have a Drupal 8 version as well? This package is used there too. I've confirmed that after applying the patch and running
yarn run build
nothing changes.Committed and pushed 2c247a2d24 to 9.1.x and fd5bf29e33 to 9.0.x. Thanks!
Comment #13
jungleby running
$ yarn upgrade minimist@^1.2.2
Comment #14
longwaveComment #17
catchCommitted bd0c57d and pushed to 8.9.x. Thanks!
Cherry-picked to 8.8.x