Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restore markdownlint tests #12549

Merged
merged 12 commits into from Jun 2, 2020
Merged

Restore markdownlint tests #12549

merged 12 commits into from Jun 2, 2020

Conversation

xtqqczze
Copy link
Contributor

@xtqqczze xtqqczze commented May 2, 2020

PR Summary

Fix #12539

PR Context

markdownlint tests were removed in #10163 due to a security issue whoch has since been fixed in a newer version of markdownlint

PR Checklist

@ghost ghost assigned daxian-dbw May 2, 2020
@xtqqczze
Copy link
Contributor Author

xtqqczze commented May 2, 2020

Codacy markdown issues seem to contradict markdownlint issues.

iSazonov
iSazonov previously approved these changes May 2, 2020
View reviewed changes
@iSazonov iSazonov assigned TravisEz13 and unassigned daxian-dbw May 2, 2020
xtqqczze
xtqqczze commented May 2, 2020
View reviewed changes
test/common/markdown/gulpfile.js
.pipe(through2.obj(function obj(file, enc, next) {
markdownlint({
"files": [file.path],
"config": require(rootJsonFile)
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Found non-literal argument in require (security/detect-non-literal-require)

@iSazonov iSazonov self-requested a review May 2, 2020 18:25
@iSazonov iSazonov dismissed their stale review May 2, 2020 18:25

New commits

@xtqqczze
Copy link
Contributor Author

xtqqczze commented May 2, 2020
edited 

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ yargs-parser                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp > gulp-cli > yargs > yargs-parser                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1500                        │
└───────────────┴──────────────────────────────────────────────────────────────┘

The maintainer of the affected package claims the yargs-parser vulnerability does not introduce an attack vector in gulp.

See: gulpjs/gulp#2438

@TravisEz13
Copy link
Member

There mere presence of a high scored vuln on the machine will trigger the same issue that cause this to be removed.

@TravisEz13
Copy link
Member

I made a couple of edits to your branch. Please pull your branch if you need to edit something.

@TravisEz13
Copy link
Member

That component is not currently generating an alert.

@TravisEz13 TravisEz13 added the CL-Test Indicates that a PR should be marked as a test change in the Change Log label May 4, 2020
@TravisEz13 TravisEz13 added this to the 7.1.0-preview.3 milestone May 4, 2020
@xtqqczze
Copy link
Contributor Author

xtqqczze commented May 5, 2020

The maintainer of gulp says the vulnerable dependency will not be updated until the project releases a new major version, which does not appear to be imminient.

See: yargs/yargs-parser#264 (comment)

@xtqqczze
Copy link
Contributor Author

xtqqczze commented May 5, 2020

@TravisEz13 Perhaps we could do without gulp anyway, and use npm-run-script or equivalent?

@TravisEz13
Copy link
Member

@xtqqczze I'm not tied to gulp. As long as we still get test results. But if it reduces dependencies, I'm all for it.

@TravisEz13
Copy link
Member

Tell me if you want me to merge this as is and then update, or you want to change it first.

@xtqqczze
Copy link
Contributor Author

xtqqczze commented May 6, 2020

@TravisEz13 Merge this for now please.

@xtqqczze
Copy link
Contributor Author

rebased to resolve conflicts

@xtqqczze
Copy link
Contributor Author

xtqqczze commented May 30, 2020
edited

@TravisEz13 I'm not my change in 4180235 to use Write-Host is the best approach (CodeFactor issue), but I think we should log $markdownErrors somehow...

xtqqczze and others added 4 commits May 30, 2020 21:28
@xtqqczze
Fix markdownlint errors
00256c6 
* Split `\install-powershell-readme.md` into `install-powershell.ps1-README.md` and `install-powershell.sh-README.md` to fix `single-h1`
* Formatting changes to github issue templates as a result of fixing `single-h1`
@xtqqczze
Run yarn upgrade
c56002e
@xtqqczze
Update misc-analysis.yml
fd56dc7
@xtqqczze
Write errors to host
3a1a172
@xtqqczze
Copy link
Contributor Author

rebased to fix additionally markdownlint errors

TravisEz13
TravisEz13 requested changes Jun 2, 2020
View reviewed changes
Copy link
Member

@TravisEz13 TravisEz13 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One one comment to address

@ghost ghost added the Waiting on Author The PR was reviewed and requires changes or comments from the author before being accept label Jun 2, 2020
@ghost ghost removed this from the 7.1.0-preview.4 milestone Jun 2, 2020
@TravisEz13
Copy link
Member

@PoshChan Please remind me in 1 hour

@PoshChan
Copy link
Collaborator

PoshChan commented Jun 2, 2020

@TravisEz13, this is the reminder you requested 1 hour ago

@TravisEz13 TravisEz13 changed the title Restore markdownlint tests Restore markdownlint tests Jun 2, 2020
@TravisEz13 TravisEz13 merged commit b03b968 into PowerShell:master Jun 2, 2020
@iSazonov iSazonov removed the Waiting on Author The PR was reviewed and requires changes or comments from the author before being accept label Jun 3, 2020
@iSazonov iSazonov added this to the 7.1.0-preview.4 milestone Jun 3, 2020
@ghost
Copy link

ghost commented Jun 25, 2020

🎉v7.1.0-preview.4 has been released which incorporates this pull request.:tada:

Handy links:

@ghost ghost mentioned this pull request Jun 25, 2020
Closed
@xtqqczze xtqqczze deleted the restore-markdownlint branch June 29, 2020 13:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@TravisEz13 TravisEz13 TravisEz13 approved these changes

@adityapatwardhan adityapatwardhan Awaiting requested review from adityapatwardhan adityapatwardhan is a code owner

@anmenaga anmenaga Awaiting requested review from anmenaga anmenaga is a code owner

@daxian-dbw daxian-dbw Awaiting requested review from daxian-dbw daxian-dbw is a code owner

@joeyaiello joeyaiello Awaiting requested review from joeyaiello

@iSazonov iSazonov Awaiting requested review from iSazonov

Assignees

@TravisEz13 TravisEz13

Labels
CL-Test Indicates that a PR should be marked as a test change in the Change Log
Projects
None yet
Milestone
7.1.0-preview.4
Development

Successfully merging this pull request may close these issues.

Restore markdownlint tests
5 participants
@xtqqczze @TravisEz13 @PoshChan @iSazonov @daxian-dbw