Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix for CVE-2024-29041 #471

Merged
merged 1 commit into from
Mar 30, 2024
Merged

Fix for CVE-2024-29041 #471

merged 1 commit into from
Mar 30, 2024

Conversation

frankhinek
Copy link
Contributor

Summary

This PR is primarily to address a high severity vulnerability:

Fix

Since a number of dependencies import the express package an override is added the root package.json to use version 4.19.2.

@frankhinek frankhinek added the security Security issue label Mar 29, 2024
@frankhinek frankhinek self-assigned this Mar 29, 2024
@github-actions GitHub Actions
Copy link
Contributor

TBDocs Report

🛑 Errors: 0
⚠️ Warnings: 4

@web5/api

  • Project entry file: packages/api/src/index.ts

@web5/crypto

  • Project entry file: packages/crypto/src/index.ts

@web5/crypto-aws-kms

  • Project entry file: packages/crypto-aws-kms/src/index.ts
📄 File: ./packages/crypto-aws-kms/src/ecdsa.ts
⚠️ extractor:typedoc:missing-docs: EcdsaAlgorithm (Class) does not have any documentation.
📄 File: ./packages/crypto-aws-kms/src/key-manager.ts
⚠️ extractor:typedoc:missing-docs: AwsKeyManager (Class) does not have any documentation.
📄 File: ./packages/crypto-aws-kms/src/utils.ts
⚠️ extractor:typedoc:missing-docs: getKeySpec (CallSignature) does not have any documentation.
🔀 Misc.
⚠️ extractor:typedoc:invalid-link: Failed to resolve link to "@web5/crypto#Secp256k1.adjustSignatureToLowS | here" in comment for EcdsaAlgorithm.sign. You may have wanted "@web5/crypto!Secp256k1.adjustSignatureToLowS | here"

@web5/dids

  • Project entry file: packages/dids/src/index.ts

@web5/credentials

  • Project entry file: packages/credentials/src/index.ts

TBDocs Report Updated at 2024-03-29T20:20:58Z 5e96ed9

@codecov-commenter
Copy link

Codecov Report

Merging #471 (5e96ed9) into main (c11b5ff) will increase coverage by 90.54%.
The diff coverage is n/a.

Additional details and impacted files 
@@            Coverage Diff            @@
##           main     #471       +/-   ##
=========================================
+ Coverage      0   90.54%   +90.54%     
=========================================
  Files         0      112      +112     
  Lines         0    29085    +29085     
  Branches      0     2077     +2077     
=========================================
+ Hits          0    26335    +26335     
- Misses        0     2715     +2715     
- Partials      0       35       +35
Components Coverage Δ
agent 78.83% <ø> (∅)
api 97.89% <ø> (∅)
common 98.68% <ø> (∅)
credentials 94.95% <ø> (∅)
crypto 93.81% <ø> (∅)
dids 97.65% <ø> (∅)
identity-agent 96.70% <ø> (∅)
crypto-aws-kms 100.00% <ø> (∅)
proxy-agent 96.70% <ø> (∅)
user-agent 96.70% <ø> (∅)

@ALRubinger ALRubinger self-requested a review March 29, 2024 20:29
ALRubinger
ALRubinger approved these changes Mar 29, 2024
View reviewed changes
Copy link
Contributor

@ALRubinger ALRubinger left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Confirmed fixed the sec issue:

image

And CI passes. Thanks @frankhinek!

@frankhinek frankhinek merged commit 3e79652 into main Mar 30, 2024
10 checks passed
@frankhinek frankhinek deleted the CVE-2024-29041 branch March 30, 2024 01:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@diehuxx diehuxx diehuxx approved these changes

@shamilovtim shamilovtim shamilovtim approved these changes

@ALRubinger ALRubinger ALRubinger approved these changes

@csuwildcat csuwildcat csuwildcat approved these changes

@mistermoe mistermoe Awaiting requested review from mistermoe

@LiranCohen LiranCohen Awaiting requested review from LiranCohen

@thehenrytsai thehenrytsai Awaiting requested review from thehenrytsai

Assignees

@frankhinek frankhinek

Labels
security Security issue
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@frankhinek @codecov-commenter @csuwildcat @ALRubinger @shamilovtim @diehuxx