Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade @astrojs/sitemap to latest #1156

Merged
merged 3 commits into from
Nov 28, 2023
Merged

Upgrade @astrojs/sitemap to latest #1156

merged 3 commits into from
Nov 28, 2023

Conversation

votemike
Copy link
Contributor

Description

Upgrade sitemap package to fix Zod security issue.

@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Nov 27, 2023
edited
Loading

🦋 Changeset detected

Latest commit: db443ce

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
@astrojs/starlight Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@vercel Vercel
Copy link

vercel bot commented Nov 27, 2023
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Updated (UTC)
starlight ✅ Ready (Inspect) Visit Preview Nov 28, 2023 11:22am

@github-actions github-actions bot added the 🌟 core Changes to Starlight’s main package label Nov 27, 2023
@astrobot-houston
Copy link
Collaborator

Hello! Thank you for opening your first PR to Starlight! ✨

Here’s what will happen next:

  1. Our GitHub bots will run to check your changes.
    If they spot any issues you will see some error messages on this PR.
    Don’t hesitate to ask any questions if you’re not sure what these mean!

  2. In a few minutes, you’ll be able to see a preview of your changes on Vercel 🤩

  3. One or more of our maintainers will take a look and may ask you to make changes.
    We try to be responsive, but don’t worry if this takes a few days.

@delucis
Copy link
Member

delucis commented Nov 28, 2023

Thanks for the PR @votemike. I assume this relates to GHSA-m95q-7qp3-xv42?

To be clear, this vulnerability does not impact Starlight — firstly because we do not parse any e-mails, and secondly because this is a DDoS vulnerability that would only apply if you were using Zod to parse unsanitized user input, for example in a server application, which is not the case with Starlight.

Still happy to update versions so people’s security analysis tools don’t complain, but wanted to mention this here for the record.

@delucis delucis changed the title Upgrade to fix Zod security issue Upgrade @astrojs/sitemap to latest Nov 28, 2023
@delucis delucis merged commit 631c5ae into withastro:main Nov 28, 2023
7 checks passed
@astrobot-houston astrobot-houston mentioned this pull request Nov 28, 2023
Merged
@votemike
Copy link
Contributor Author

Yep. I guessed as much. But I thought other people's dependabots would be complaining.

Also, other parts of @astrojs/starlight seem to have already updated to 3.22.4, this seemed to be the only thing that hadn't.

@votemike votemike deleted the update-sitemap branch November 29, 2023 15:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
🌟 core Changes to Starlight’s main package
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@votemike @astrobot-houston @delucis