Evergreen

Upgrade karma in NPM dependencies

Bug #1965432 reported by Chris Sharp
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Evergreen
Fix Released
High
Unassigned
Evergreen 3.9-beta
3.8
Fix Released
High
Unassigned
Evergreen 3.8.1

Bug Description

Creating a branch to upgrade karma to version 6.3.17 to fix known security problems.

Revision history for this message
Chris Sharp (chrissharp123) wrote :

Branch implementing this change at security/user/csharp/lp1965432_upgrade_karma_npm

I've tested this for both AngularJS and Angular builds and saw no problems.

tags: added: angular angularjs
tags: added: pullrequest
Changed in evergreen:
importance: Undecided → High
Revision history for this message
Jane Sandberg (sandbergja) wrote :

Thank you, Chris! Signoff and small follow-up commit here: security/user/sandbergja/lp1965432_upgrade_karma_npm_signoff

Since the karma vulnerabilities are already known and public, I would advocate making this bug public and release it through the typical release process. If we go that route, I'd be happy to merge this.

Revision history for this message
Jason Boyer (jboyer) wrote :

+1 to making this public, especially since it's a build-time only issue.

Revision history for this message
Chris Sharp (chrissharp123) wrote :

Updated to public security - thanks, Jane.

information type: Private Security → Public Security
Revision history for this message
Jane Sandberg (sandbergja) wrote :

Thank you, Chris. I pushed to master and will work on the backport in a bit.

Changed in evergreen:
status: New → Fix Committed
milestone: none → 3.9-beta
Revision history for this message
Jane Sandberg (sandbergja) wrote :

Backported to rel_3_8.

Evergreen Bug Maintenance (bugmaster)
Changed in evergreen:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.