resolve 2/3 security advisories #48
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sojeri
added
type: dependencies
|
I don't feel comfortable committing manual fixes directly to the yarn.lock file -- IMO they will be too easily lost and it's not clear enough what versions we're requiring and why. I found this yarn feature that sounds like a good enough alternative: https://classic.yarnpkg.com/en/docs/selective-version-resolutions/ |
|
@suzubara TIL! I will add those to |
sojeri
commented
Apr 6, 2020
| @@ -11179,7 +11164,7 @@ stylelint@^13.2.1: | |||
| lodash "^4.17.15" | |||
| log-symbols "^3.0.0" | |||
| mathml-tag-names "^2.1.3" | |||
| meow "^6.0.1" | |||
| meow "^6.1.0" | |||
There was a problem hiding this comment.
gidjin
approved these changes
Apr 6, 2020
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This doesn't fix the
kind-ofissue but does fix the other two alerts attached to this repo. Kind of is a lot messier so I think we can hold out a few more days to see if big maintainers like storybook and FB will fix their deps. It cleans up yarn audit output a ton.minimist
security advisory: Prototype pollution in minimist
came from gonzales-pe pkg via postcss-sass
4.3.0)0.4.4)I could have fixed by patching yarn.lock alone, but used the force upgrade method for explictness here. See my work in b8e6805, c0f0a82, and 791b1e2.
acorn
security advisory: Regular Expression Denial of Service in Acorn
TBH, came from bad yarn logic. This is a long-time bug in yarn which happens from time to time: our dependency tree had no reason to have both 6.4.0 and 6.4.1, but yarn isn't great at cleaning these dupes. So I manually patched yarn.lock in fac6225.
reviewer notes
opened this based on yarn audit alone, so please check to ensure I didn't break the build? :)
yarn audit output-- before my changes (394 vulnerabilities)
yarn audit output-- after my changes (1 vulnerability)
this last vulnerability isn't from kind of. a closed issue on storybook claims this is already fixed, but upgrading to 5.3.18 did not resolve this. I am still bored so may open a PR to upgrade marksy & then can follow up to upgrade storybook if nobody else catches it.