-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changing package.json to use concat-stream "^2.0.0" and tap "^12.5.3"… #1899
base: master
Are you sure you want to change the base?
Changes from 1 commit
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -30,7 +30,7 @@ | |
"browserify-zlib": "~0.2.0", | ||
"buffer": "^5.0.2", | ||
"cached-path-relative": "^1.0.0", | ||
"concat-stream": "^1.6.0", | ||
"concat-stream": "^2.0.0", | ||
"console-browserify": "^1.1.0", | ||
"constants-browserify": "~1.0.0", | ||
"crypto-browserify": "^3.0.0", | ||
|
@@ -83,7 +83,7 @@ | |
"make-generator-function": "^1.1.0", | ||
"semver": "^5.5.0", | ||
"seq": "0.3.5", | ||
"tap": "^10.7.2", | ||
"tap": "^12.5.3", | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. What are the breaking changes here? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. npm audit kicks off a notice of 15 vulnerabilities, see
I am accountable to others for the "best-effort" basis on keeping packages secure to current standards. Fixing tap to 12.5.3 results in npm audit returning 0 known vulnerabilities. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. After tap@12.5.3
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I don’t think vulns matter in dev deps, generally. In this case, this prototype pollution attack only affects when deep merging untrusted code, which can’t happen here. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The same goes for handlebars, which is only 'vulnerable' with untrusted templates. Browserify's dependencies only use trusted static templates. Still, fixing these warnings can be worthwhile, even if only because they're annoying to the developer. In this case though, we're specifically using older versions because the newer versions don't support all our target platforms. If there is a a way to upgrade without losing compatibility, I'd be all for it. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Agreed. I understand the dev deps is not relevant in a prod bundle. My security peers want to mitigate the risk wherever possible. I am looking at fresh conflicts in esm and the older node platforms the team supports. I will see if I can work something out. Right now build is breaking on esm.js. I'll be glad to have the PR accepted when I can prove that I can get through the build for all platforms. Cheers. Steve |
||
"temp": "^0.8.1", | ||
"through": "^2.3.4" | ||
}, | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -28,7 +28,7 @@ test('bare', function (t) { | |
} | ||
}); | ||
vm.runInNewContext(body, { | ||
Buffer: Buffer, | ||
Buffer: function (s) { return Buffer.from(s) }, | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
var buf = Buffer.from ? Buffer.from(s) : Buffer(s) or use a module like There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Fixing. I have some fresh commits pending the PR so this is all backwards compatible. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Would you prefer I use safe-buffer to what I patched up in three of the test files (bare.js, bare_shebang.js and buffer.js)? I can do that too. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. safe-buffer might be easier because you can just use Buffer.from in all the callsites and it'll do the right thing. I don't really mind either way though! |
||
console: { | ||
log: function (msg) { | ||
t.ok(Buffer.isBuffer(msg)); | ||
|
@@ -57,7 +57,7 @@ test('bare api', function (t) { | |
} | ||
}); | ||
vm.runInNewContext(body, { | ||
Buffer: Buffer, | ||
Buffer: function (s) { return Buffer.from(s) }, | ||
console: { | ||
log: function (msg) { | ||
t.ok(Buffer.isBuffer(msg)); | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is the breaking change here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fair point; I have been cleansing a lot of npm code and this change probably came on the heels of another package I updated to 2.0.0. IMO it's no harm, no foul to keep it at 1.6.0; and it's no-harm, no foul to tick it up. I am resubmitting a PR without the concat-stream 2.0.0