v3.8.1 proposal (became v4.0.0) #1718
Conversation
|
fcb0117025 needs the rest of the changes to Could you also swap the ordering so that the update to tar 4.4.8 comes last? That way every commit would build in case we'd ever want to bisect. |
Tar version 3 performs better and is more well tested than its predecessor. npm will be using this in the near future, so there is no benefit in shipping a node-gyp that uses the slower and less reliable fstream-based tar. This drops support for node 0.x, and thus should be considered a breaking semver-major change. PR-URL: nodejs#1212 Reviewed-By: Refael Ackermann <refack@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
PR-URL: nodejs#1713 Reviewed-By: Refael Ackermann <refack@gmail.com>
|
Rebased over 6e1e425 |
|
Shouldn't CI jobs for 0.10 and 0.12 be removed from the matrix as support is dropped ? |
Will do, but only after this PR gets some LGTMs. |
There was a problem hiding this comment.
- [
3578b2abf0] - deps: explicit limit on supported engines (Refael Ackermann)
nit: maybe reword this commit message? The supported engines was bumped in the earlier tar v3 commit.
| @@ -32,11 +31,11 @@ | |||
| "request": "^2.87.0", | |||
| "rimraf": "2", | |||
| "semver": "~5.3.0", | |||
| "tar": "^2.0.0", | |||
| "tar": "4", | |||
There was a problem hiding this comment.
Should this be?:
| "tar": "4", | |
| "tar": "^4.4.8", |
Otherwise users without npm audit may still get the unsecure version.
There was a problem hiding this comment.
this is the only part left in 6bc9bf1 so I'm removing that commit entirely and it'll end up with ^4.4.8
|
looks like version should be 4.0.0 according to semver due to breaking changes |
When updating dependencies (in this case node) SemVer does not necessarily require a major release.
|
|
Can someone explain what the hold up is here please? |
Two can not be fixed yet: - swagger-api/swagger-node#579 - nodejs/node-gyp#1718
|
Ping @refack If this includes a breaking change, it should also be a new major version. I believe it should be possible to release a 3.8.1 that just includes the non breaking commits and then to release v4.0.0 right after. |
|
Hi, would the major change be limited to requiring Node > 4? If so, it would be acceptable to explain in the changelog (if it's visible enough) that projects that are already on a recent Node version can upgrade without problems. At least for Etherpad (ether/etherpad-lite#3598) this would be ok. A minor version that only solves the vulnerability would clearly even better (if technically possible). |
@xzyfer Perhaps an issue should be filed to https://github.com/npm/node-tar as the starting point, explaining that the usage of older branches is still high and that updating to |
Partial resolution of https://www.npmjs.com/advisories/803 Full resolution pending nodejs/node-gyp#1718
|
@ChALkeR done in isaacs/node-tar#212 |
|
@xzyfer Thanks! I left a comment there and also pinged npm about that. |
|
If there are concerns with releasing this, there is nothing wrong with making it a major release. |
|
v4.0.0 is out, now we have to consider the |
|
|
|
Thank you for releasing!! |
|
Is there any plan to cut a node-gyp release that doesn't break support for Node < 4 if a fix for node-tar@2 can be found? |
|
@xzyfer I think it'd be reasonable to cut another v3.x if you can get an old branch of node-tar released that will work with it |
|
What about forking tar, fixing the issue in v2 and to use the fork in node-gyp 3 (ideally we do not need a fork and just a PR and a new release for tar@2)? I know it's just a work around but that's at least something we could do for people who can't update yet. |
|
No need to fork. The node-tar folks have said they're open to accepting a PR. |
|
we're having a hard enough time maintaining node-gyp, I don't think we really need another codebase to manage even if limited in scope |
|
I mentioned this on this thread (1456ef2) , but I am still having an issue when I update node-gyp. I run npm install node-gyp and get the correct 4.0.0 package, but then I get an error that I something changed and I need to "Run npm rebuild node-sass to download the binding for your current environment." When I do this, it re-loads the 3.8.x version of node-gyp. Error below from the rebuild of node-sass: gyp ERR! node -v v9.4.0 |
|
I have edited some info into the original post so as to make this less confusing. |
|
node-tar@2.2.2 has been released which patches the vulnerability. Would it be possible to cut release a node-gyp@2.x with this update so that upstreams aren't forced break old node BC? |
|
NVM looks like node-gyp depended on node-tar@^2.0.0 which should mean the issue is resolved. |
|
Github is still reporting the vulnerability as existing because NIST's vulnerability report didn't consider 2.2.2 of
So stay tuned, because soon tar 2.2.2 will be recognized as an acceptable, non-vulnerable version, and appropriate versions of node-gyp using |
Edit: @Fishrock123
Please see this comment for the final status of this issue: #1718 (comment)
v3.8.1 2019-04-12
Due to security concerns this version drops support for Node.js versions < 4.0.0
3578b2abf0] - deps: explicit limit on supported engines (Refael Ackermann)ec8505e15f] - deps: updated tar package version to 4.4.8 (Pobegaylo Maksim) #17136e1e425ffb] - (BREAKING for node < 4) Upgrade to tar v3 (isaacs) #1212e6699d13cd] - test: fix addon test for Node.js 12 and V8 7.4 (Richard Lau) #17050c6bf530a0] - lib: use print() for python version detection (GreenAddress) #1534Checklist
npm install && npm testpassesDescription of change