Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: Add missing dev dependencies: prebuildify and python package distutils in CI #1050

Open
wants to merge 3 commits into
base: master
Choose a base branch
from

Conversation

simonmysun
Copy link

prebuildify was introduced in the build script in 4de3ed6 and in the build script it is installed globally. This is not necessary and should be installed as dev dependencies and managed by npm.

During testing I added distutils in the Dockerfiles. distutils has been removed from the Python standard library since 3.12 and has to be installed separately (Ref: https://docs.python.org/3.12/whatsnew/3.12.html python/cpython#95299 ). In Debian, the Python version is currently at 3.9, but the change will propagate soon in the next major version.

This PR additionally fixes upstream vulnerabilities issues reported by npm audit.

@babel/traverse  <7.23.2
Severity: critical
Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code - GHSA-67hx-6x53-jw92
fix available via `npm audit fix`
node_modules/@babel/traverse

braces  <3.0.3
Severity: high
Uncontrolled resource consumption in braces - GHSA-grv7-fg5c-xmjg
fix available via `npm audit fix`
node_modules/braces

debug  4.0.0 - 4.3.0
Regular Expression Denial of Service in debug - GHSA-gxpj-cx7g-858c
fix available via `npm audit fix`
node_modules/debug

micromatch  <4.0.8
Severity: moderate
Regular Expression Denial of Service (ReDoS) in micromatch - GHSA-952p-6rrq-rcjv
fix available via `npm audit fix`
node_modules/micromatch

4 vulnerabilities (1 low, 1 moderate, 1 high, 1 critical)
@minenwerfer
Copy link

The repo seems abandoned, maybe someone should fork it?

@simonmysun
Copy link
Author

It's a pity that the repo is not maintained. But I'm afraid I'm not capable of taking it over.

@recrsn
Copy link
Collaborator

recrsn commented Dec 1, 2024

It's very much not abandoned. There is not enough critical mass of changes to warrant a new release. NAPI has served us nicely with not breaking API/ABI and most of the issues that get reported is due to firewalls or user errors

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants