Skip to content
This repository has been archived by the owner on Jan 16, 2023. It is now read-only.

fix yargs-parser & kind-of vulnerabilities #84

Merged
merged 2 commits into from
May 6, 2020
Merged

fix yargs-parser & kind-of vulnerabilities #84

merged 2 commits into from
May 6, 2020

Conversation

sojeri
Copy link
Contributor

@sojeri sojeri commented May 5, 2020

6ee951e upgrades the yargs dependency to ^15.0.0, which resolves the low severity vulnerability mentioned in #54. I chose 15 because it is the most recent version already pulled in via yarn.lock.

02ee186 upgrades the lint-staged dev dependency to ^10.0.0, which resolves the low severity warnings for a multitude of bad kind-of deps. I chose 10 because it is latest AND it has a much cleaner dependency chain.

Yarn audit before my changes:

yarn audit v1.22.4
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ yargs-parser                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ yargs                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ yargs > yargs-parser                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1500                        │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ low           │ Validation Bypass                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ kind-of                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=6.0.3                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ lint-staged                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ lint-staged > micromatch > braces > snapdragon > base >      │
│               │ define-property > is-descriptor > is-accessor-descriptor >   │
│               │ kind-of                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1490                        │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ low           │ Validation Bypass                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ kind-of                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=6.0.3                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ lint-staged                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ lint-staged > micromatch > extglob > expand-brackets >       │
│               │ snapdragon > base > define-property > is-descriptor >        │
│               │ is-accessor-descriptor > kind-of                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1490                        │
└───────────────┴──────────────────────────────────────────────────────────────┘
...
45 vulnerabilities found - Packages audited: 4687
Severity: 45 Low
✨  Done in 0.94s.

Yarn audit after my changes:

yarn audit v1.22.4
0 vulnerabilities found - Packages audited: 3646
✨  Done in 0.55s.

@sojeri
Copy link
Contributor Author

sojeri commented May 5, 2020

@wuweiweiwu are you the right person to poke for review? :)

@sojeri
Copy link
Contributor Author

sojeri commented May 5, 2020

Or perhaps @hipstersmoothie is the right person to poke for review? :)

@hipstersmoothie
Copy link
Contributor

Did you verify the changes work as expected?

@hipstersmoothie
Copy link
Contributor

Mainly just if yargs still works

@sojeri
Copy link
Contributor Author

sojeri commented May 6, 2020

@hipstersmoothie Yeah, the yargs setup seems fine. I tested only against the gh pages script, which with my changes is still working both with and without the ci flag.

Lint staged output also seemed no different after my changes.

@hipstersmoothie hipstersmoothie merged commit e8c739b into storybook-eol:master May 6, 2020
@hipstersmoothie hipstersmoothie added the patch Increment the patch version when merged label May 6, 2020
@sojeri
Copy link
Contributor Author

sojeri commented May 12, 2020

@hipstersmoothie looks like CI failed on the release step due to bad credentials. Is this related to my change? Is it possible to rerun with good credentials?

@hipstersmoothie
Copy link
Contributor

🚀 PR was released in v2.8.6 🚀

@hipstersmoothie hipstersmoothie added the released This issue/pull request has been released. label May 12, 2020
@gaetanmaisse gaetanmaisse mentioned this pull request Nov 6, 2020
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
patch Increment the patch version when merged released This issue/pull request has been released.
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sojeri @hipstersmoothie