Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Is there something that uses fast-loops implicitly? Can it be deleted? #233

Closed
maksnester opened this issue Jul 3, 2024 · 6 comments
Closed

Is there something that uses fast-loops implicitly? Can it be deleted? #233

maksnester opened this issue Jul 3, 2024 · 6 comments

Comments

@maksnester
Copy link

maksnester commented Jul 3, 2024
edited
Loading

Hi @robinweser
I can't find anything in this project that actually uses fast-loops, is there some implicit usage?

It'd be nice to delete fast-loops to avoid this issue to be reported by security toolchains.

That's the report we see from Mend

image

image
@techtolentino
Copy link

Same as @maksnester

(thanks for creating this issue)

@robinweser
Copy link
Owner

Hey @maksnester,
Thanks for raising this! Had no idea it'd be a vulnerability and also no idea we're not using the lib anymore. I think it can safely be removed. Would you open a PR for that? Simultaneously, I'm also going to fix the vulnerability in fast-loops so that everyone gets the issue fixed.

@xfournet
Copy link
Contributor

xfournet commented Jul 4, 2024

Hi @robinweser, PR #234 created

robinweser added a commit that referenced this issue Jul 4, 2024
@robinweser
Merge pull request #234 from xfournet/remove-fast-loops
9ac92ca 
Remove fast-loops dependency (close #233)
@AmmarHasan
Copy link

I think it can cause vulnerability in projects depending on this library and so on:

For example, I am using nano-css as a dependency and in the yarn.lock file inline-style-prefixer seems to be using fast-loops:

inline-style-prefixer@^7.0.0:
  version "7.0.0"
  resolved "https://pkgs.dev.azure.com/elli-eco/_packaging/elli-eco/npm/registry/inline-style-prefixer/-/inline-style-prefixer-7.0.0.tgz#991d550735d42069f528ac1bcdacd378d1305442"
  integrity sha1-mR1VBzXUIGn1KKwbzazTeNEwVEI=
  dependencies:
    css-in-js-utils "^3.1.0"
    fast-loops "^1.1.3"

I deleted my yarn.lock file and run yarn install to remove fast-loops from the dependencies. I think therefore we there should be a version bump after this change to something like 7.0.1.

I will create a PR

@AmmarHasan AmmarHasan mentioned this issue Jul 14, 2024
Closed
@AmmarHasan
Copy link

I am getting this error when I try to push the change:

ERROR: Permission to robinweser/inline-style-prefixer.git denied to AmmarHasan.
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

@robinweser Can you help?

@robinweser
Copy link
Owner

@AmmarHasan You need to fork the project and create a PR from there. Only contributors can push to the source repository directly.
But what are you trying to do anyways? Just upgrade to 7.0.1 and you're good to go. There's nothing to be changed here. Also the issue in fast-loops was bumped and thus even packages depending on fast-loops should get a fix on re-install.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@xfournet @maksnester @AmmarHasan @techtolentino @robinweser