Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: address npm audit security report #42

Merged
merged 7 commits into from
Oct 4, 2018

Conversation

markowsiak
Copy link
Contributor

@markowsiak markowsiak commented Oct 2, 2018

Running npm audit resulted in some vulnerabilities being detected.

Other than some normal package updates the archived conventional-commits-parser library was imported as a vendor package, and its lodash dependency was updated locally to a security compliant version.

.travis.yml Outdated
deploy:
- provider: script
script: ./bin/nlm.js release
script: ./node_modules/.bin/nlm release
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I assume that won't work

@jkrems
Copy link
Collaborator

jkrems commented Oct 3, 2018

/home/travis/build/groupon/nlm/test/github/setup-labels.test.js
  43:28  error  Expected to return a value at the end of arrow function  consistent-return

@@ -54,14 +54,14 @@ function parseCommit(commit) {
const parentSha = meta.shift() || null;

const data = commitParser.sync(message, {
issuePrefixes: ['#', 'https?://\\w[\\w.-]*[\\w/-]+?'],
issuePrefixes: ['#', 'https?://\\w[\\w.-]*[\\D/-]+'],
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

\D includes literally anything that isn't a digit, including e.g. ]

});
const prMatch = message.match(PR_MERGE_PATTERN);
if (prMatch) {
const prId = prMatch[1];
data.type = 'pr';
data.pullId = prId;
data.references.push({
Object.assign(data.references[0], {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you explain this a bit?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No problem. After updating the conventional-commits-parser library it seemed that there was already an array index of 0 present, and this test was expecting the original code to push those values into an empty array.
I thought it best to not disturb the original functionality

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As I parse it, the test was expecting there to be no references, and hence our push()ed one is [0].

What's changed is that there now are some... I'd vote:

  1. figure out why (what are the references we're getting now that we weren't before)
  2. if they're good things, change the test to search for our push()ed item, rather than assuming it's at [0]
  3. if they're things we don't want, delete them and push ours

package.json Outdated
@@ -16,7 +16,11 @@
"scripts": {
"pretest": "eslint lib test",
"test": "mocha",
"posttest": "./bin/nlm.js verify"
"posttest": "nlm verify"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

don't think that'll work

package.json Outdated
"eslint-plugin-node": "^5.1.1",
"eslint-plugin-prettier": "^2.2.0",
"mocha": "^3.1.2",
"mocha": "^5.2.0",
"nlm": "^3.0.0",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

seems a bit recursive

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 we want to self-publish, explicitly. That way we can't accidentally release something that can't release.

@dbushong
Copy link
Member

dbushong commented Oct 3, 2018

I'm not seeing the "vendor package" you mentioned

@markowsiak
Copy link
Contributor Author

@dbushong the vendor package was removed as I found an updated version of the library in another repo 👍

@@ -54,7 +54,7 @@ function parseCommit(commit) {
const parentSha = meta.shift() || null;

const data = commitParser.sync(message, {
issuePrefixes: ['#', 'https?://\\w[\\w.-]*[\\D/-]+'],
issuePrefixes: ['#', 'https?://[a-zA-Z\\./-]*'],
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we have a test case for what this fixes? Is this about multi-digit issue numbers..?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A story of how I got here:

  • https?://\\w[\\w.-]*[\\w/-]+? --> was the original regex before updating the conventional-commits-parser library, and did not capture a full portional of a JIRA url after updating the library
  • https?://\\w[\\w.-]*[\\D/-]+ --> did capture the JIRA url appropriately, but as @dbushong pointed out \D is very inclusive
  • https?://[a-zA-Z\\./-]* --> I decided to start over and attempt to match the two types of URLS in question

An example of a test failing after updating conventional-commits-parser is: https://github.com/groupon/nlm/blob/master/test/steps/pending-changes.test.js#L58-L64

It was failing because after the update it failed to capture https://jira.atlassian.com/browse/REPO- from https://jira.atlassian.com/browse/REPO-2001.

The result was prefix equalling REPO instead of REPO- as intended.

I didn't write any new tests about what this change fixes but ensured the 3 failing tests passed after the library update.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we add a test case for a URL like https://gh3.internal:4000/foo/bar/issues/42? IIRC the previous one was meant to be a non-greedy capture of "anything goes". Maybe just being more explicit about the final character (- or /) would make the difference..?

@markowsiak markowsiak merged commit 9f911da into master Oct 4, 2018
@jkrems jkrems deleted the mo-correct-vulnerabilities branch October 4, 2018 18:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants