Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: bump yargs parser version to avoid flagged vulnerable dependencies #23839

Merged
merged 5 commits into from
May 8, 2020
Merged

chore: bump yargs parser version to avoid flagged vulnerable dependencies #23839

merged 5 commits into from
May 8, 2020

Conversation

ashokdelphia
Copy link
Contributor

Description

Update the version of yargs used in gatsby-dev-cli and gatsby-cli.

  • Bump the yargs version to address some 'low' security vulnerability warnings. (01df9d4)

    'npm audit' complains for:

    This is obviously a big jump in major version numbers, but the usage looks reasonably vanilla, so I'm hoping it's obvious whether this breaks anything.

  • Bump the yargs version to address a 'low' security vulnerability warning in yargs-parser. (65b09f0)

    'npm audit' complains about 'yargs > yargs-parser' (https://npmjs.com/advisories/1500).

Documentation

N/A

Related Issues

This should fix the yargs-parser part of #23004.

@ashokdelphia
Bump the yargs version to address some 'low' security vulnerability w…
01df9d4 
…arnings.

'npm audit' complains for:

 - yargs > os-locale > mem (https://npmjs.com/advisories/1084)
 - yargs > yargs-parser (https://npmjs.com/advisories/1500)

This is obviously a big jump in major version numbers, but the usage looks reasonably vanilla, so I'm hoping it's obvious whether this breaks anything.
@ashokdelphia
Bump the yargs version to address a 'low' security vulnerability warn…
65b09f0 
…ing in yargs-parser.

'npm audit' complains about 'yargs > yargs-parser' (https://npmjs.com/advisories/1500).
@ashokdelphia ashokdelphia requested a review from a team as a code owner May 6, 2020 16:29
@gatsbot gatsbot bot added the status: triage needed Issue or pull request that need to be triaged and assigned to a reviewer label May 6, 2020
@pieh pieh added type: maintenance An issue or pull request describing a change that isn't a bug, feature or documentation change and removed status: triage needed Issue or pull request that need to be triaged and assigned to a reviewer labels May 6, 2020
@pieh
Copy link
Contributor

pieh commented May 6, 2020

We will need more changes than just bump - there were some breaking changes that we need to account for. I didn't do full check yet but few that I found so far that needs to be addressed:

Per https://github.com/yargs/yargs/releases/tag/v15.0.0

remove package.json-based parserConfiguration

Which we use in

gatsby/packages/gatsby-cli/package.json

Lines 86 to 88 in b9836da

"yargs": {
"boolean-negation": false
},

That no longer has effect and we need to find a way to apply it in different way or adjust code to not need it.

I was actually going over those right now and working on it - but might as well use your pull request ;)

@ashokdelphia
Copy link
Contributor Author

I was actually going over those right now and working on it - but might as well use your pull request ;)

Thanks for checking more closely.

Happy to leave it with you, but if I can be of any assistance, please let me know.

@pieh
Copy link
Contributor

pieh commented May 7, 2020

I will be updating this PR - if you want to do additional research on breaking changes and manual testing - I will for sure welcome another set of eyes and hands on this

@pieh pieh added the topic: cli Related to the Gatsby CLI label May 7, 2020
@pieh pieh changed the title Bump yargs parser version to avoid flagged vulnerable dependencies chore: bump yargs parser version to avoid flagged vulnerable dependencies May 7, 2020
@pieh
Copy link
Contributor

pieh commented May 7, 2020

Also note - we will need to track webpack/webpack-dev-server#2566 as well because that's dependency of gatsby (so this PR alone will not fix audit completely). Using this PR we still get:

➜  pr23839 git:(master) ✗ yarn audit    
yarn audit v1.21.0
warning ../package.json: No license field
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ yargs-parser                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gatsby                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gatsby > webpack-dev-server > yargs > yargs-parser           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1500                        │
└───────────────┴──────────────────────────────────────────────────────────────┘
1 vulnerabilities found - Packages audited: 36236

For comparison - using latest we get 2 entries:

yarn audit    
yarn audit v1.21.0
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ yargs-parser                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gatsby                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gatsby > gatsby-cli > yargs > yargs-parser                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1500                        │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ yargs-parser                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gatsby                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gatsby > webpack-dev-server > yargs > yargs-parser           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1500                        │
└───────────────┴──────────────────────────────────────────────────────────────┘
2 vulnerabilities found - Packages audited: 36257

pieh
pieh approved these changes May 8, 2020
View reviewed changes
Copy link
Contributor

@pieh pieh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good

@pieh pieh merged commit 2b1de8c into gatsbyjs:master May 8, 2020
@gatsbot
Copy link

gatsbot bot commented May 8, 2020

Holy buckets, @ashokdelphia — we just merged your PR to Gatsby! 💪💜

Gatsby is built by awesome people like you. Let us say “thanks” in two ways:

  1. We’d like to send you some Gatsby swag. As a token of our appreciation, you can go to the Gatsby Swag Store and log in with your GitHub account to get a coupon code good for one free piece of swag. We’ve got Gatsby t-shirts, stickers, hats, scrunchies, and much more. (You can also unlock even more free swag with 5 contributions — wink wink nudge nudge.) See gatsby.dev/swag for details.
  2. We just invited you to join the Gatsby organization on GitHub. This will add you to our team of maintainers. Accept the invite by visiting https://github.com/orgs/gatsbyjs/invitation. By joining the team, you’ll be able to label issues, review pull requests, and merge approved pull requests.

If there’s anything we can do to help, please don’t hesitate to reach out to us: tweet at @gatsbyjs and we’ll come a-runnin’.

Thanks again!

@kklem0 kklem0 mentioned this pull request May 10, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pieh pieh pieh approved these changes

Assignees

@pieh pieh

Labels
topic: cli Related to the Gatsby CLI type: maintenance An issue or pull request describing a change that isn't a bug, feature or documentation change
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ashokdelphia @pieh