Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🔒 upgrade vulnerable packages #306

Merged
merged 1 commit into from
Mar 17, 2020
Merged

🔒 upgrade vulnerable packages #306

merged 1 commit into from
Mar 17, 2020

Conversation

bcaudan
Copy link
Contributor

@bcaudan bcaudan commented Mar 16, 2020

No description provided.

@bcaudan bcaudan requested a review from a team as a code owner March 16, 2020 15:35
BenoitZugmeyer
BenoitZugmeyer approved these changes Mar 16, 2020
View reviewed changes
package.json
Comment on lines +28 to +31
"resolutions": {
"acorn": "6.4.1",
"minimist": "1.2.2"
},
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we should pin versions in package.json. The lockfile should be enough.

Copy link
Member

@BenoitZugmeyer BenoitZugmeyer Mar 16, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Or maybe set ">=6.4.1" so the dependency can be upgraded

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I don't pin version, it will still use older version, if the main version does not match:

[email protected]:
  version "0.0.8"
  resolved "https://registry.yarnpkg.com/minimist/-/minimist-0.0.8.tgz#857fcabfc3397d2625b8228262e86aa7a011b05d"
  integrity sha1-hX/Kv8M5fSYluCKCYuhqp6ARsF0=

minimist@^1.1.0, minimist@^1.1.3, minimist@^1.2.0:
  version "1.2.2"
  resolved "https://registry.yarnpkg.com/minimist/-/minimist-1.2.2.tgz#b00a00230a1108c48c169e69a291aafda3aacd63"
  integrity sha512-rIqbOrKb8GJmx/5bc2M0QchhUouMXSpd1RTclXsB41JdL+VtnojfaJR+h7F9k18/4kHUsBFgk80Uk+q569vjPA==

minimist@~0.0.1:
  version "0.0.10"
  resolved "https://registry.yarnpkg.com/minimist/-/minimist-0.0.10.tgz#de3f98543dbf96082be48ad1a0c7cda836301dcf"
  integrity sha1-3j+YVD2/lggr5IrRoMfNqDYwHc8=

instead of

[email protected], [email protected], minimist@^1.1.0, minimist@^1.1.3, minimist@^1.2.0, minimist@~0.0.1:
  version "1.2.2"
  resolved "https://registry.yarnpkg.com/minimist/-/minimist-1.2.2.tgz#b00a00230a1108c48c169e69a291aafda3aacd63"
  integrity sha512-rIqbOrKb8GJmx/5bc2M0QchhUouMXSpd1RTclXsB41JdL+VtnojfaJR+h7F9k18/4kHUsBFgk80Uk+q569vjPA==

wdyt?

Copy link
Member

@BenoitZugmeyer BenoitZugmeyer Mar 16, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, you're right, some libs are still requiring outdated versions. I think it'll be OK for now, but we should reconsider when upgrading our dependencies. Maybe use more precise overrides like this:

    "**/gulp-sourcemaps/acorn": "6.4.1",
    "**/optimist/minimist": "1.2.2",
    "**/mkdirp/minimist": "1.2.2"

@bcaudan bcaudan merged commit 4eb6e87 into master Mar 17, 2020
@bcaudan bcaudan deleted the bcaudan/security branch March 17, 2020 09:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@BenoitZugmeyer BenoitZugmeyer BenoitZugmeyer approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@bcaudan @BenoitZugmeyer