Adjusting @embroider/webpack to use @babel/preset-env to avoid critical security audit
#1868
Conversation
…preset-env to address critical security audit.
|
Chiming in here with some extra thoughts - it appears I don't have enough context to understand why/what this is doing |
|
There is code that deals with both types of babel preset-env based on babel 6 or 7 and the test scenario needs to bring the old one in to test it. It shouldn’t affect the webpack package specifically. Hopefully the audit stuff is making a nuanced enough look at the lock file to recognize that. |
mansona
added
enhancement
There was a problem hiding this comment.
This looks good to me. I did an audit of the difference between babel-preset-env and @babel/preset-env and I think the safest thing for us to do is to mark this as a breaking change on our side. There is a possibility of changes in behaviour because of some of the listed breaking changes:
- Adhering to async generator yield behavior change babel/babel#6452
- [preset-env] Exclude transform-typeof-symbol with
looseoption. babel/babel#6831 - Rely entirely on sourceType for module vs script differentiation. babel/babel#7417
- Always transform for-await in async functions[rebase of #6953]. babel/babel#7446
- Allow more flexible file-based configuration while preventing .babelrcs from breaking things babel/babel#7358
- Add browserslist 4 support. babel/babel#8509
At its base, this is a straightforward change to one dependency in the package.json for @embroider/webpack.
Running the full test suite locally, the last several release-watch-mode scenarios timed out, but otherwise it showed the same handful of errors that it showed when I ran the test suite before the change. I had seen one or two watch-mode tests fail earlier, so I'm not sure if that's test fragility or something to concern myself with about the change.
I'm also a little concerned about a number of the changes that happened in the
pnpm-lock.yamlwhen I ran pnpm install after making the package.json change. I had only looked at the lock file after I'd run the tests with all those timeouts, though. Not sure if that made a difference.This PR will at least open the conversation and I can take it from there with guidance and context.