Fix CVE-2024-39249: Force async@3.2.6 via resolutions #1902
Conversation
|
@TimothyAsirJeyasing: No Jira issue with key CVE-2024 exists in the tracker at https://issues.redhat.com/. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: TimothyAsirJeyasing The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
The CVE-2024-39249 vulnerability was caused by older versions of async, which were being pulled by dependencies like http-server (via portfinder) and cypress (via getos). Since these dependencies have not yet updated to a secure version of async, this commit enforces async@3.2.6 using the resolutions field in package.json as a temporary workaround. Added "async": "^3.2.6" in resolutions in package.json. Ran yarn install, updating yarn.lock accordingly. This resolution should be removed once upstream dependencies update async. Signed-off-by: Timothy Asir Jeyasingh <tjeyasin@redhat.com>
TimothyAsirJeyasing
force-pushed
the
fix-CVE-2024-39249
branch
from
68d18e6 to
263c0a4
Compare
The CVE-2024-39249 vulnerability was caused by older versions of async, which were being pulled by dependencies like
http-server (via portfinder) and cypress (via getos).
Since these dependencies have not yet updated to a secure version of async, this commit enforces async@3.2.6 using the resolutions field in package.json as a temporary workaround.
Added "async": "^3.2.6" in resolutions in package.json. Ran yarn install, updating yarn.lock accordingly.
This resolution should be removed once
upstream dependencies update async.