Critical NPM vulnerability

Question

Critical NPM vulnerability

antonreshetov opened this issue 6 years ago · 5 comments

Command Injection in fontello-cli dependency
https://npmjs.com/advisories/663

Answer 1 · 2019-08-09T10:30:57.000Z

@antonreshetov Can you create a PR to fix this?

Answer 2 · 2019-11-06T23:05:34.000Z

Looks like this is fixed upstream.
Would be happy to make a PR, if that would be welcome, but I'm not totally clear on what the process is... do you have any guidelines for newbies?

Answer 3 · 2019-11-23T13:12:48.000Z

From what I can see all you need to do is apply this:

diff --git a/package.json b/package.json
index 7f9dc51..f0fbd82 100644
--- a/package.json
+++ b/package.json
@@ -44,7 +44,7 @@
     "async": "^2.6.1",
     "axios": "^0.19.0",
     "cheerio": "^1.0.0-rc.2",
-    "fontello-cli": "^0.4.0",
+    "fontello-cli": "^0.5.0",
     "fs-plus": "^3.1.1",
     "glob": "^7.1.3",
     "lodash": "^4.17.15",

then just npm install, which will update your package-lock.json.

Answer 4 · 2019-12-04T09:50:41.000Z

Any updates on this?

Answer 5 · 2019-12-04T11:43:20.000Z

Thanks to @cypressious for creating the PR.

I've merged it to the live and will release it in next update.