-
Notifications
You must be signed in to change notification settings - Fork 916
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[1.3] Bump yo from 2.0.6 to 3.1.1 #5005
Conversation
Codecov Report
@@ Coverage Diff @@
## 1.3 #5005 +/- ##
==========================================
+ Coverage 67.46% 67.50% +0.04%
==========================================
Files 3044 3044
Lines 58692 58692
Branches 8902 8902
==========================================
+ Hits 39595 39619 +24
+ Misses 16945 16925 -20
+ Partials 2152 2148 -4
Flags with carried forward coverage won't be shown. Click here to find out more. |
integrity sha1-Xt1StIXKHZAP5kiVUFOZoN+kX3Y= | ||
dependencies: | ||
mimic-fn "^1.0.0" | ||
|
||
mem@^4.0.0: | ||
version "4.0.0" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You're still including mem 4.0.0 here. I believe you'll also need to upgrade fullname
, as you mentioned in the description.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Versions of mem
prior to 4.0.0 are vulnerable to Denial of Service (DoS). So 4.0.0
is fine. It is brought in from another package
ubuntu@ip-**:~/OpenSearch-Dashboards$ yarn why mem
yarn why v1.22.19
[1/4] Why do we have the module "mem"...?
[2/4] Initialising dependency graph...
warning Resolution field "typescript@4.0.2" is incompatible with requested version "typescript@~4.8.4"
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "mem@1.1.0"
info Reasons this module exists
- "_project_#@osd#ui-framework#yo#fullname" depends on it
- Hoisted from "_project_#@osd#ui-framework#yo#fullname#mem"
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "32KB"
info Disk size with transitive dependencies: "32KB"
info Number of shared dependencies: 1
=> Found "os-locale#mem@4.0.0"
info This module exists because "_project_#@osd#pm#webpack-cli#yargs#os-locale" depends on it.
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "72KB"
info Disk size with transitive dependencies: "88KB"
info Number of shared dependencies: 3
Done in 1.05s.
I only resolve the affected mem@1.1.0
.
Signed-off-by: ananzh <ananzh@amazon.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good, assuming tests pass.
With the
SemVer
philosophy, when releasing a patch version, it should not introduce breaking changes, which includes bumping a dependency to its major version.yo
is a dev dependency in package@osd/ui-framework
for OSD. Meanwhile, it is not included in release artifact. Therefore, bumping major versions should not breakSemVer
rules.Description
Versions of
mem
prior to4.0.0
are vulnerable to Denial of Service (DoS).mem
is brought into OSD byyo#fullname
:There are two options to solve the issue:
fullname
needs and could be bumped to 4.0.0: sindresorhus/fullname@v3.3.0...v4.0.0yo
needs and could be bumped to 3.1.1: yeoman/yo@v2.0.6...v3.1.0No breaking changes from either option. Choose to bump
yo
.Check List
yarn test:jest
yarn test:jest_integration
yarn test:ftr