CVE-2020-7608 #262

Hyperkid123 · 2023-10-10T11:55:38Z

The package showdown has an old yargs-parser dependency with this critical security vulnerability. Can we update the dependencies to remove it?

The text was updated successfully, but these errors were encountered:

dgutride · 2023-10-26T18:23:13Z

This one is important for us, too - @jessiehuff

jschuler · 2023-10-30T18:49:12Z

If you're still on PF4:
https://www.npmjs.com/package/@patternfly/quickstarts/v/2.4.3

If you're on PF5:
https://www.npmjs.com/package/@patternfly/quickstarts/v/5.1.0

In either case, showdown is no longer declared a dependency, it continue to remain a peer dependency though.
So in your own project, make sure that showdown is at 2.1.0 or greater.

i.e.
https://github.com/opendatahub-io/odh-dashboard/blob/main/frontend/package.json#L75
https://github.com/openshift/console/blob/master/frontend/package.json#L220
Could be updated

patternfly-build added this to PatternFly Extensions Oct 10, 2023

github-project-automation bot moved this to Needs triage in PatternFly Extensions Oct 10, 2023

jessiehuff added this to the QS Prioritized Backlog milestone Oct 11, 2023

jessiehuff moved this from Needs triage to Not started in PatternFly Extensions Oct 11, 2023

jessiehuff modified the milestones: QS Prioritized Backlog, 2023.10 - 10/31 Oct 27, 2023

jschuler mentioned this issue Oct 27, 2023

Remove showdown as dependency, update peerDep version of showdown #266

Merged

jschuler closed this as completed in #266 Oct 30, 2023

github-project-automation bot moved this from Not started to Done in PatternFly Extensions Oct 30, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2020-7608 #262

CVE-2020-7608 #262

Hyperkid123 commented Oct 10, 2023

dgutride commented Oct 26, 2023

jschuler commented Oct 30, 2023

CVE-2020-7608 #262

CVE-2020-7608 #262

Comments

Hyperkid123 commented Oct 10, 2023

dgutride commented Oct 26, 2023

jschuler commented Oct 30, 2023