From e014a7339390693383ad00a020b8e3337f780f19 Mon Sep 17 00:00:00 2001 From: Sheogorath Date: Wed, 10 Apr 2019 13:07:54 +0200 Subject: [PATCH 1/2] Update meta-marked to fix possible vulnerabilities Snyk informed us about possible vulnerabilities in meta-marked. It seems like at least some of them were already address by HackMD around a year ago but never pushed upstream to CodiMD. This patch provides a fix by using an up-to-date dependency from our own repository with CI integration. Details: https://app.snyk.io/vuln/SNYK-JS-JSYAML-174129 Signed-off-by: Sheogorath --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 4d20927..331d42d 100644 --- a/package.json +++ b/package.json @@ -81,7 +81,7 @@ "mathjax": "~2.7.0", "mattermost": "^3.4.0", "mermaid": "~7.1.0", - "meta-marked": "^0.4.2", + "meta-marked": "git+https://github.com/codimd/meta-marked#semver:^0.4.2", "method-override": "^2.3.7", "minimist": "^1.2.0", "minio": "^6.0.0", From 32f6037da9f9c3025fb53a541c240325bdafd11f Mon Sep 17 00:00:00 2001 From: Sheogorath Date: Wed, 10 Apr 2019 13:35:38 +0200 Subject: [PATCH 2/2] Update yarn to version 1.15.2 The yarn version we use in CI is quite outdated. This brings up the problem that it doesn't support semver for git repositories. In order to fix that problem updating yarn seems to be the right thing to do. This patch should fix the CI problem caused by the semver git URL. Signed-off-by: Sheogorath --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 37e3352..a2fce83 100644 --- a/.travis.yml +++ b/.travis.yml @@ -4,7 +4,7 @@ cache: yarn env: global: - CXX=g++-4.8 - - YARN_VERSION=1.3.2 + - YARN_VERSION=1.15.2 jobs: include: