New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: Replace update notifier with simplified deps #2033
Conversation
✅ Deploy Preview for nodemon ready!
To edit notification comments on pull requests, go to your Netlify site settings. |
this is good, but I'm wary your windows test didn't pass: https://github.com/alexbrazier/simple-update-notifier/runs/7033149767?check_suite_focus=true |
@remy thanks for looking into it! I actually force pushed that update as the Edit: Looks like I was looking at the wrong build you referenced - that failure was an old one caused by the single quotes that Windows wasn't liking and has since been fixed |
Seems it is not compatible with node 8.10.0 (minimum required version for nodemon) because |
Thanks @zorn-v, I've now pushed an update to fix that |
@alexbrazier worth wrapping this in a try/catch - https://github.com/alexbrazier/simple-update-notifier/blob/master/src/getDistVersion.ts#L13= - I can't remember what happens if this fails inside of the deep event handler - might be worth injecting some bad code to see how it behaves. |
Sure, something like this? https://github.com/alexbrazier/simple-update-notifier/pull/2/files |
@alexbrazier have you thought about using semver module instead of implementing your own version check? |
I was originally trying to keep it simple but now the version check has become more complicated than expected and still not perfect so happy to swap it out for |
I'm letting @alexbrazier have some time to settle the code base. It's not a straight up simple change and a few extra days to help iron out issues will be worthwhile in the long run. Plus, the reality of the vuln in nodemon has near zero impact. Of course it's not zero, but there's no path to exploit the actual vuln through nodemon (partly because it's fired outside of calling your code - which would take advantage of the vuln, and partly because nodemon in a lot of cases forks the sub process, so it never has access to any of the nodemon code - and thusly the vuln on The issue isn't being ignored, @alexbrazier has kindly and valiantly taken up the mantle to solve this dependency once and for all. |
semver 7.3.7 has "engines": {
"node": ">=10"
} There is |
Nothing when installing with npm, but seems there is an issue with yarn |
You can use |
👍 Decided to go with this to avoid the yarn issue with node 8. Just pushed the update now. |
hi @remy is there a projected release date for this change? |
In the verry near future. Why are you asking? Is there a genuine situation
that you've managed to find that the `got` package can be reached? (I'm
certain it can't but it would be useful to share with others).
…On Wed, 29 Jun 2022, 06:02 Bill Li @ SiteMinder, ***@***.***> wrote:
hi @remy <https://github.com/remy> is there a projected release date for
this change?
—
Reply to this email directly, view it on GitHub
<#2033 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAADLBG7D3ECCP5LLQAU3J3VRPKGVANCNFSM5ZXOO2GQ>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
@alexbrazier I want to merge this up, I feel like it's had it's time to percolate. But when I merge there's suddenly going to be, quite literally, millions of users in an absolute boat load of different scenarios using this library through nodemon. So what I wanted to ask is: is there anything you're not 100% sure about? (Not meant as this is all on you!). I've been reading and re-reading your code to see if I can see anything. Couple of things I wondered were:
|
@remy I would say I'm fairly confident with it as it's been tested down to node I think it's the same thing for network timeouts or errors (I've tested without an internet connection) where the promise will reject it will just catch the error. For the testing scenario it uses |
Thanks for fixing this @alexbrazier. Looking forward to its deployment. :) |
🎉 This PR is included in version 2.0.19 🎉 The release is available on: Your semantic-release bot 📦🚀 |
Don't really like that modules creates files outside of it's own directory and caches things in config store files... |
@jimmywarting update-notifier was always doing this, and if you look in your |
What about this project focused to standardize the way of using the .cache folder? https://github.com/avajs/find-cache-dir |
Firstly, it isn't standardised. Secondly, again, the aim was to keep things the same as possible, and update-notifier was using an existing .config directory for many years prior. |
@jimmywarting and @remy - My suggestion is to create a different story if this makes sense to do, then the work can be prioritized accordingly. It’s not really a part of this PR. |
package-json
to >=8.0.0 for vulnerability ingot
>= 12.0.0, < 12.1.0, < 11.8.5 #2028got
(CVE-2022-33987)update-notifier
withsimple-update-notifier
which does the same thing but has one dependency (semver
) rather than severalupdate-notifier
Demo