From 5b512364b0af10d464113d5dc171db07b04a49b7 Mon Sep 17 00:00:00 2001 From: Gaurav Munjal Date: Fri, 1 Nov 2024 07:53:15 -0400 Subject: [PATCH] fix security vulnerability in lodash.template --- index.js | 2 +- package.json | 9 ++++-- yarn.lock | 89 +++++++++++++++------------------------------------- 3 files changed, 32 insertions(+), 68 deletions(-) diff --git a/index.js b/index.js index 21625b0e..d60a5b29 100644 --- a/index.js +++ b/index.js @@ -20,7 +20,7 @@ const path = require('path'); // broccoli-rollup: rollup dependencies to expected module format // const stew = require('broccoli-stew'); -const Template = require('broccoli-templater'); +const Template = require('@gorner/broccoli-templater'); const MergeTrees = require('broccoli-merge-trees'); const concat = require('broccoli-concat'); const map = stew.map; diff --git a/package.json b/package.json index 08c66d0d..40697416 100644 --- a/package.json +++ b/package.json @@ -37,7 +37,7 @@ "broccoli-merge-trees": "^4.2.0", "broccoli-rollup": "^5.0.0", "broccoli-stew": "^3.0.0", - "broccoli-templater": "^2.0.1", + "@gorner/broccoli-templater": "^2.0.3", "calculate-cache-key-for-tree": "^2.0.0", "caniuse-api": "^3.0.0", "ember-cli-babel": "^7.26.11", @@ -48,7 +48,10 @@ "whatwg-fetch": "^3.6.2" }, "resolutions": { - "@babel/traverse": "^7.25.9" + "@babel/traverse": "^7.25.9", + "json5": "^2.2.3", + "rollup": "^2.79.2", + "sourcemap-validator": "Gaurav0/sourcemap-validator#replace-lodash-template" }, "devDependencies": { "@babel/core": "^7.26.0", @@ -102,7 +105,7 @@ "chai-fs": "^2.0.0", "concurrently": "^8.0.1", "ember-auto-import": "^2.9.0", - "ember-cli": "~4.12.1", + "ember-cli": "~4.12.3", "ember-cli-addon-tests": "^0.11.1", "ember-cli-dependency-checker": "^3.3.1", "ember-cli-fastboot": "^4.1.5", diff --git a/yarn.lock b/yarn.lock index 07d2a5d7..2aa31fa9 100644 --- a/yarn.lock +++ b/yarn.lock @@ -1386,6 +1386,17 @@ dependencies: babel-plugin-debug-macros "^0.3.4" +"@gorner/broccoli-templater@^2.0.3": + version "2.0.3" + resolved "https://registry.yarnpkg.com/@gorner/broccoli-templater/-/broccoli-templater-2.0.3.tgz#c57f9b847d8cb5c436e934aa923bf0062ba0e05a" + integrity sha512-YTnGn1lYgUvD5C2JmN2j6nCFzvri79Xzu57rBgSlk9Mb7otME75jgk0N3gPGnwLPxqJqr0Bqt+JdvQ2lfkm2rw== + dependencies: + broccoli-plugin "^1.3.1" + fs-tree-diff "^0.5.9" + lodash "^4.17.21" + rimraf "^2.6.2" + walk-sync "^0.3.3" + "@handlebars/parser@~2.0.0": version "2.0.0" resolved "https://registry.yarnpkg.com/@handlebars/parser/-/parser-2.0.0.tgz#5e8b7298f31ff8f7b260e6b7363c7e9ceed7d9c5" @@ -3811,17 +3822,6 @@ broccoli-stew@^3.0.0: symlink-or-copy "^1.2.0" walk-sync "^1.1.3" -broccoli-templater@^2.0.1: - version "2.0.2" - resolved "https://registry.yarnpkg.com/broccoli-templater/-/broccoli-templater-2.0.2.tgz#285a892071c0b3ad5ebc275d9e8b3465e2d120d6" - integrity sha512-71KpNkc7WmbEokTQpGcbGzZjUIY1NSVa3GB++KFKAfx5SZPUozCOsBlSTwxcv8TLoCAqbBnsX5AQPgg6vJ2l9g== - dependencies: - broccoli-plugin "^1.3.1" - fs-tree-diff "^0.5.9" - lodash.template "^4.4.0" - rimraf "^2.6.2" - walk-sync "^0.3.3" - broccoli-terser-sourcemap@^4.1.0: version "4.1.1" resolved "https://registry.yarnpkg.com/broccoli-terser-sourcemap/-/broccoli-terser-sourcemap-4.1.1.tgz#4c26696e07a822e1fc91fb48c5b6d6c70d5ca9b2" @@ -5491,10 +5491,10 @@ ember-cli-version-checker@^5.1.1, ember-cli-version-checker@^5.1.2: semver "^7.3.4" silent-error "^1.1.1" -ember-cli@~4.12.1: - version "4.12.2" - resolved "https://registry.yarnpkg.com/ember-cli/-/ember-cli-4.12.2.tgz#a9d2dd191093fcf18122732fae8999c9ca873447" - integrity sha512-990UglceEsB3nd/pTI08wL+hbApICrd6P4BO88486rSf9r3XjZ7LBcD318N8I1AGe5IUDkbccMrOQxoHge6zNg== +ember-cli@~4.12.3: + version "4.12.3" + resolved "https://registry.yarnpkg.com/ember-cli/-/ember-cli-4.12.3.tgz#a8c3f0e62ed1c595fd2348eca82a3a068c6bf001" + integrity sha512-Ilap7fVGx0+sF6y5O1id+xVPYlc2cJ8OAG6faEQPyvbaCCUsCZnAEr7EMA+5qg0kNqjawIIHJTgnQesdbaDwtg== dependencies: "@babel/core" "^7.21.0" "@babel/plugin-transform-modules-amd" "^7.20.11" @@ -5558,7 +5558,7 @@ ember-cli@~4.12.1: isbinaryfile "^5.0.0" js-yaml "^4.1.0" leek "0.0.24" - lodash.template "^4.5.0" + lodash "^4.17.21" markdown-it "^13.0.1" markdown-it-terminal "^0.4.0" minimatch "^7.4.1" @@ -8607,19 +8607,7 @@ json-stringify-safe@~5.0.1: resolved "https://registry.yarnpkg.com/json-stringify-safe/-/json-stringify-safe-5.0.1.tgz#1296a2d58fd45f19a0f6ce01d65701e2c735b6eb" integrity sha512-ZClg6AaYvamvYEE82d3Iyd3vSSIjQ+odgjaTzRuO3s7toCdFKczob2i0zCh7JE8kWn17yvAWhUVxvqGwUalsRA== -json5@^0.5.1: - version "0.5.1" - resolved "https://registry.yarnpkg.com/json5/-/json5-0.5.1.tgz#1eade7acc012034ad84e2396767ead9fa5495821" - integrity sha1-Hq3nrMASA0rYTiOWdn6tn6VJWCE= - -json5@^1.0.1: - version "1.0.1" - resolved "https://registry.yarnpkg.com/json5/-/json5-1.0.1.tgz#779fb0018604fa854eacbf6252180d83543e3dbe" - integrity sha512-aKS4WQjPenRxiQsC93MNfjx+nbF4PAdYzmd/1JIj8HYzqfbu86beTuNgXDzPknWk0n0uARlyewZo4s++ES36Ow== - dependencies: - minimist "^1.2.0" - -json5@^2.1.2, json5@^2.2.3: +json5@^0.5.1, json5@^1.0.1, json5@^2.1.2, json5@^2.2.3: version "2.2.3" resolved "https://registry.yarnpkg.com/json5/-/json5-2.2.3.tgz#78cd6f1a19bdc12b73db5ad0c61efd66c1e29283" integrity sha512-XmOWe7eyHYH14cLdVPoyg+GOH3rYX++KpzrylJwSW98t3Nk+U8XOl8FWKOgwtzdb8lXGf6zYwDUzeHMWfxasyg== @@ -8904,11 +8892,6 @@ lodash._isiterateecall@^3.0.0: resolved "https://registry.yarnpkg.com/lodash._isiterateecall/-/lodash._isiterateecall-3.0.9.tgz#5203ad7ba425fae842460e696db9cf3e6aac057c" integrity sha1-UgOte6Ql+uhCRg5pbbnPPmqsBXw= -lodash._reinterpolate@^3.0.0: - version "3.0.0" - resolved "https://registry.yarnpkg.com/lodash._reinterpolate/-/lodash._reinterpolate-3.0.0.tgz#0ccf2d89166af03b3663c796538b75ac6e114d9d" - integrity sha1-DM8tiRZq8Ds2Y8eWU4t1rG4RTZ0= - lodash.assign@^3.2.0: version "3.2.0" resolved "https://registry.yarnpkg.com/lodash.assign/-/lodash.assign-3.2.0.tgz#3ce9f0234b4b2223e296b8fa0ac1fee8ebca64fa" @@ -8968,11 +8951,6 @@ lodash.flatten@^3.0.2: lodash._baseflatten "^3.0.0" lodash._isiterateecall "^3.0.0" -lodash.foreach@^4.5.0: - version "4.5.0" - resolved "https://registry.yarnpkg.com/lodash.foreach/-/lodash.foreach-4.5.0.tgz#1a6a35eace401280c7f06dddec35165ab27e3e53" - integrity sha1-Gmo16s5AEoDH8G3d7DUWWrJ+PlM= - lodash.isarguments@^3.0.0: version "3.1.0" resolved "https://registry.yarnpkg.com/lodash.isarguments/-/lodash.isarguments-3.1.0.tgz#2f573d85c6a24289ff00663b491c1d338ff3458a" @@ -9017,21 +8995,6 @@ lodash.restparam@^3.0.0: resolved "https://registry.yarnpkg.com/lodash.restparam/-/lodash.restparam-3.6.1.tgz#936a4e309ef330a7645ed4145986c85ae5b20805" integrity sha1-k2pOMJ7zMKdkXtQUWYbIWuWyCAU= -lodash.template@^4.4.0, lodash.template@^4.5.0: - version "4.5.0" - resolved "https://registry.yarnpkg.com/lodash.template/-/lodash.template-4.5.0.tgz#f976195cf3f347d0d5f52483569fe8031ccce8ab" - integrity sha512-84vYFxIkmidUiFxidA/KjjH9pAycqW+h980j7Fuz5qxRtO9pgB7MDFTdys1N7A5mcucRiDyEq4fusljItR1T/A== - dependencies: - lodash._reinterpolate "^3.0.0" - lodash.templatesettings "^4.0.0" - -lodash.templatesettings@^4.0.0: - version "4.2.0" - resolved "https://registry.yarnpkg.com/lodash.templatesettings/-/lodash.templatesettings-4.2.0.tgz#e481310f049d3cf6d47e912ad09313b154f0fb33" - integrity sha512-stgLz+i3Aa9mZgnjr/O+v9ruKZsPsndy7qPZOchbqk2cnTU1ZaldKK+v7m54WoKIyxiuMZTKT2H81F8BeAc3ZQ== - dependencies: - lodash._reinterpolate "^3.0.0" - lodash.truncate@^4.4.2: version "4.4.2" resolved "https://registry.yarnpkg.com/lodash.truncate/-/lodash.truncate-4.4.2.tgz#5a350da0b1113b837ecfffd5812cbe58d6eae193" @@ -11224,10 +11187,10 @@ rollup-pluginutils@^2.8.1: dependencies: estree-walker "^0.6.1" -rollup@^2.50.0: - version "2.79.1" - resolved "https://registry.yarnpkg.com/rollup/-/rollup-2.79.1.tgz#bedee8faef7c9f93a2647ac0108748f497f081c7" - integrity sha512-uKxbd0IhMZOhjAiD5oAFp7BqvkA4Dv47qpOCtaNvng4HBwdbWtdOh8f5nZNuk2rp51PMGk3bzfWu5oayNEuYnw== +rollup@^2.50.0, rollup@^2.79.2: + version "2.79.2" + resolved "https://registry.yarnpkg.com/rollup/-/rollup-2.79.2.tgz#f150e4a5db4b121a21a747d762f701e5e9f49090" + integrity sha512-fS6iqSPZDs3dr/y7Od6y5nha8dW1YnbgtsyotCVvoFGKbERG++CVRFv1meyGDE1SNItQA8BrnCw7ScdAhRJ3XQ== optionalDependencies: fsevents "~2.3.2" @@ -11788,14 +11751,12 @@ sourcemap-codec@^1.4.4: resolved "https://registry.yarnpkg.com/sourcemap-codec/-/sourcemap-codec-1.4.8.tgz#ea804bd94857402e6992d05a38ef1ae35a9ab4c4" integrity sha512-9NykojV5Uih4lgo5So5dtw+f0JgJX30KCNI8gwhz2J9A15wD0Ml6tjHKwf6fTSa6fAdVBdZeNOs9eJ71qCk8vA== -sourcemap-validator@^1.1.0: - version "1.1.1" - resolved "https://registry.yarnpkg.com/sourcemap-validator/-/sourcemap-validator-1.1.1.tgz#3d7d8a399ccab09c1fedc510d65436e25b1c386b" - integrity sha512-pq6y03Vs6HUaKo9bE0aLoksAcpeOo9HZd7I8pI6O480W/zxNZ9U32GfzgtPP0Pgc/K1JHna569nAbOk3X8/Qtw== +sourcemap-validator@Gaurav0/sourcemap-validator#replace-lodash-template, sourcemap-validator@^1.1.0: + version "2.1.0" + resolved "https://codeload.github.com/Gaurav0/sourcemap-validator/tar.gz/a69565cc7820e404a177272f7e2edad39c02953d" dependencies: jsesc "~0.3.x" - lodash.foreach "^4.5.0" - lodash.template "^4.5.0" + lodash "^4.17.21" source-map "~0.1.x" spawn-args@^0.2.0: