Update watchpack to the most recent minor version to remove minimist vulnerability. #10571
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
For maintainers only:
|
alexander-akait
requested changes
Mar 18, 2020
|
Hi @evilebottnawi 👋 Would you mind telling me if there is any ETA for the release cycle for dependabot changes? Is it something like a couple of hours or a couple of days? Trying to handle a broken build due to Thank you 🙌 |
|
(Nevermind, we were able to just let npm update the internal dependencies by recomputing them. Thanks anyway) |
|
@jomi-se can you add what you ran in order to fix this issue in your project? |
|
@JMurphyWeb Here is what I did to fix this in a project that has webpack as a dependency:
Problem fixed and If you can afford it you can just delete your I'm not sure there is a way to do this in a single |
|
@mjziolko Thanks for your update. I labeled the Pull Request so reviewers will review it again. @evilebottnawi Please review the new changes. |
|
Thank you for your pull request! The most important CI builds succeeded, we’ll review the pull request soon. |
jeffin143
approved these changes
Mar 26, 2020
sokra
approved these changes
Mar 28, 2020
|
Thanks |
|
@jomi-se @JMurphyWeb and anyone else, if you're using Yarn v1, I've created a comprehensive guide about keeping transitive dependencies up to date, including upgrading them by hand in the https://twitter.com/karlhorky/status/1246138834473095169 |
sbnewsthailand
added a commit
to sbnewsthailand/webpack
that referenced
this pull request
Jun 1, 2023
commit 3956274 Merge: 444e59f 1f11600 Author: Tobias Koppers <tobias.koppers@googlemail.com> Date: Tue Jul 13 13:46:38 2021 +0200 Merge pull request webpack#13778 from StyleT/feature/custom_externals_for_systemjs_target_v4 fix: fixed work of the non-system type externals for "system" library… commit 1f11600 Author: Vladlen Fedosov <vladlen.f@namecheap.com> Date: Mon Jul 12 14:23:21 2021 +0300 fix: fixed work of the non-system type externals for "system" library target commit 444e59f Author: Tobias Koppers <tobias.koppers@googlemail.com> Date: Mon Jan 11 14:42:18 2021 +0100 4.46.0 commit 758bb25 Merge: 0331322 79de1a2 Author: Tobias Koppers <tobias.koppers@googlemail.com> Date: Mon Jan 11 14:39:02 2021 +0100 Merge pull request webpack#12387 from webpack/bugfix/12386 enable backward-compatible behavior for resolve.roots commit 79de1a2 Author: Tobias Koppers <tobias.koppers@googlemail.com> Date: Mon Jan 11 13:03:58 2021 +0100 enable backward-compatibility for resolve.roots commit ef75c04 Author: Tobias Koppers <tobias.koppers@googlemail.com> Date: Tue Feb 18 09:22:31 2020 +0100 Fix filename in azure pipeline commit 7714953 Author: Tobias Koppers <tobias.koppers@googlemail.com> Date: Mon Jan 11 11:04:46 2021 +0100 add test case commit 0331322 Author: Tobias Koppers <tobias.koppers@googlemail.com> Date: Fri Jan 8 13:53:20 2021 +0100 4.45.0 commit e43bb4b Merge: c572c15 4de8451 Author: Tobias Koppers <tobias.koppers@googlemail.com> Date: Fri Jan 8 00:24:41 2021 +0100 Merge pull request webpack#12372 from webpack/bugfix/split-chunks-min-size-4 fix bug where module size is added multiple times to the split chunk info commit 4de8451 Author: Tobias Koppers <tobias.koppers@googlemail.com> Date: Thu Jan 7 21:47:08 2021 +0100 fix bug where cacheGroup index was inverted commit 3f69f3c Author: Tobias Koppers <tobias.koppers@googlemail.com> Date: Thu Jan 7 16:51:08 2021 +0100 fix bug where module size is added multiple times to the split chunk info fixes webpack#12307 commit c572c15 Merge: 2efeb4b 811395e Author: Tobias Koppers <tobias.koppers@googlemail.com> Date: Tue Oct 27 08:35:45 2020 +0100 Merge pull request webpack#11831 from Pyrolistical/patch-1 Fixed resolve.roots default value commit 811395e Author: Pyrolistical <pyrogx1133@gmail.com> Date: Mon Oct 26 14:42:09 2020 -0700 Fixed resolve.roots default webpack#11207 intended to have `resolve.roots` to have a default value, but was typo'd commit 2efeb4b Author: Tobias Koppers <tobias.koppers@googlemail.com> Date: Fri Sep 18 01:43:14 2020 +0200 4.44.2 commit 9635616 Merge: 4a1f068 235b87b Author: Tobias Koppers <tobias.koppers@googlemail.com> Date: Thu Sep 17 12:29:09 2020 +0200 Merge pull request webpack#11490 from webpack/bugfix/unknown-chunk-4 make sure to generate correct chunk connection for blocks that are only connected in some runtimes (webpack 4) commit 235b87b Author: Tobias Koppers <tobias.koppers@googlemail.com> Date: Thu Sep 17 09:55:42 2020 +0200 make sure to generate correct chunk connection for blocks that are only connected in some runtimes fixes webpack#8677 commit 4a1f068 Merge: cd4af16 a0ab325 Author: Tobias Koppers <tobias.koppers@googlemail.com> Date: Thu Jul 30 10:42:19 2020 +0200 Merge pull request webpack#11180 from webpack/test/watch-production-4 add test case for watching in production commit cd4af16 Author: Tobias Koppers <tobias.koppers@googlemail.com> Date: Thu Jul 30 10:02:02 2020 +0200 4.44.1 commit 7895778 Merge: 91e81c8 46304c8 Author: Tobias Koppers <tobias.koppers@googlemail.com> Date: Thu Jul 30 10:01:16 2020 +0200 Merge pull request webpack#11244 from webpack/bugfix/dynamic-reexport-default ignore default export when reexporting a dynamic module commit 46304c8 Author: Tobias Koppers <tobias.koppers@googlemail.com> Date: Thu Jul 30 09:00:18 2020 +0200 ignore default export when reexporting a dynamic module commit 91e81c8 Merge: d4603c6 087af7c Author: Tobias Koppers <tobias.koppers@googlemail.com> Date: Sun Jul 26 22:19:10 2020 +0200 Merge pull request webpack#11190 from merceyz/patch-2 fix: add missing optional peer dependencies commit 087af7c Merge: f170b98 d4603c6 Author: merceyz <merceyz@users.noreply.github.com> Date: Fri Jul 24 19:27:13 2020 +0200 Merge branch 'webpack-4' into patch-2 commit d4603c6 Author: Tobias Koppers <tobias.koppers@googlemail.com> Date: Fri Jul 24 19:12:58 2020 +0200 4.44.0 commit ea06f03 Merge: 42dc038 eae1ba0 Author: Tobias Koppers <tobias.koppers@googlemail.com> Date: Fri Jul 24 19:11:15 2020 +0200 Merge pull request webpack#11225 from webpack/deps/watchpack update watchpack commit eae1ba0 Author: Tobias Koppers <tobias.koppers@googlemail.com> Date: Fri Jul 24 18:15:34 2020 +0200 update watchpack commit 42dc038 Merge: 21e3c11 ce3ca7b Author: Tobias Koppers <tobias.koppers@googlemail.com> Date: Mon Jul 20 12:39:48 2020 +0200 Merge pull request webpack#11210 from webpack/ci/timeout-4 watch test cases: close correctly, increase timeout commit 21e3c11 Merge: 1879a81 5c9c601 Author: Tobias Koppers <tobias.koppers@googlemail.com> Date: Mon Jul 20 12:18:50 2020 +0200 Merge pull request webpack#11207 from webpack/backport/add-roots Backport of resolve.roots for webpack 4 commit ce3ca7b Author: Tobias Koppers <tobias.koppers@googlemail.com> Date: Mon Jul 20 08:48:49 2020 +0200 watch test cases: close correctly, increase timeout commit 5c9c601 Author: Tobias Koppers <tobias.koppers@googlemail.com> Date: Thu Jul 9 08:55:52 2020 +0200 Improve description in config schema commit a925e6a Author: Ivan Kopeykin <ikopeykin@ozon.ru> Date: Thu Jul 9 00:12:45 2020 +0300 add roots option commit f170b98 Author: Kristoffer K <merceyz@users.noreply.github.com> Date: Fri Jul 17 13:11:53 2020 +0200 chore: only specify peerDependenciesMeta commit e7c690e Author: Kristoffer K <merceyz@users.noreply.github.com> Date: Fri Jul 17 13:00:14 2020 +0200 fix: add missing optional peer dependencies commit a0ab325 Author: Tobias Koppers <tobias.koppers@googlemail.com> Date: Thu Jul 16 08:05:37 2020 +0200 add test case for watching in production commit 1879a81 Merge: a41994a 0d8ff5f Author: Tobias Koppers <tobias.koppers@googlemail.com> Date: Wed Jul 15 19:35:12 2020 +0200 Merge pull request webpack#10776 from jeffin143/fix-10775 Backport webpack#10773 to webpack 4 commit 0d8ff5f Author: Tobias Koppers <tobias.koppers@googlemail.com> Date: Wed Jul 15 15:14:50 2020 +0200 keep old code style commit e128392 Author: Tobias Koppers <tobias.koppers@googlemail.com> Date: Wed Jul 15 15:14:28 2020 +0200 fix test case commit a41994a Merge: dfd2021 f0568ec Author: Tobias Koppers <tobias.koppers@googlemail.com> Date: Wed Jul 15 14:31:59 2020 +0200 Merge pull request webpack#11168 from webpack/bugfix/split-chunks splitChunks improvements commit f0568ec Author: Tobias Koppers <tobias.koppers@googlemail.com> Date: Mon Jul 13 17:15:01 2020 +0200 update snapshot commit cff07cd Author: Tobias Koppers <tobias.koppers@googlemail.com> Date: Mon Jul 13 10:12:17 2020 +0200 splitChunks improvements add new splitChunks.enforceSizeThreshold option enforces splitting on certain size (ignoring maxRequests and minRemainingSize) fix bug where sorting didn't work for minSize: 0 commit dfd2021 Merge: b343020 8063d2c Author: Tobias Koppers <tobias.koppers@googlemail.com> Date: Fri May 22 09:55:25 2020 +0200 Merge pull request webpack#10933 from webpack/test/dynamic-reexports add more test cases for dynamic reexports commit 8063d2c Author: Tobias Koppers <tobias.koppers@googlemail.com> Date: Thu May 21 00:26:27 2020 +0200 add more test cases for dynamic reexports fix typo commit b343020 Merge: c9d4ff7 7ec220e Author: Tobias Koppers <tobias.koppers@googlemail.com> Date: Wed May 20 22:45:20 2020 +0200 Merge pull request webpack#10919 from webpack/bugfixes/side-effect-optimization optimizations for side effects (webpack 4) commit 7ec220e Author: Tobias Koppers <tobias.koppers@googlemail.com> Date: Tue May 19 01:26:14 2020 +0200 add side effects test cases commit 8e7b249 Author: Tobias Koppers <tobias.koppers@googlemail.com> Date: Tue May 19 00:25:41 2020 +0200 improve side-effects handling for dynamic reexports commit 48229fa Author: Tobias Koppers <tobias.koppers@googlemail.com> Date: Tue May 19 01:22:02 2020 +0200 add optimization stats test case commit b862d6d Author: jeffin143 <jeffinsam@karunya.edu.in> Date: Sat Apr 25 10:39:06 2020 +0530 file name was changed commit d0f7b8f Author: jeffin143 <jeffinsam@karunya.edu.in> Date: Sat Apr 25 10:21:57 2020 +0530 Backport to webpack 4 commit c9d4ff7 Author: Tobias Koppers <tobias.koppers@googlemail.com> Date: Tue Apr 21 16:24:25 2020 +0200 4.43.0 commit 9a2febd Merge: 4c644bf a53bb8f Author: Tobias Koppers <tobias.koppers@googlemail.com> Date: Tue Apr 21 16:20:23 2020 +0200 Merge pull request webpack#10715 from webpack/hmr/invalidate-4 add invalidate to HMR API in webpack 4 commit a53bb8f Author: Tobias Koppers <tobias.koppers@googlemail.com> Date: Tue Apr 14 23:44:35 2020 +0200 add invalidate method to HMR commit 4c644bf Merge: 9efaba2 499b537 Author: Tobias Koppers <tobias.koppers@googlemail.com> Date: Fri Apr 3 21:01:21 2020 +0200 Merge pull request webpack#10518 from TechieForFun/webpack-4 Update package.json commit 9efaba2 Merge: a704715 9c23e18 Author: Tobias Koppers <tobias.koppers@googlemail.com> Date: Sat Mar 28 15:04:14 2020 +0100 Merge pull request webpack#10571 from mjziolko/watchpack-vuln Update watchpack to the most recent minor version to remove minimist vulnerability. commit a704715 Merge: 71eb593 7f843e8 Author: Tobias Koppers <tobias.koppers@googlemail.com> Date: Fri Mar 27 17:01:38 2020 +0100 Merge pull request webpack#10622 from webpack/ci/fix-azure fix vm images in azure commit 7f843e8 Author: Tobias Koppers <tobias.koppers@googlemail.com> Date: Fri Mar 27 11:28:53 2020 +0100 fix vm images in azure commit 9c23e18 Author: mjziolko <mj@ziolko.dev> Date: Wed Mar 18 02:27:36 2020 -0500 Update watchpack to the most recent minor version to remove mimimist vulnerability. commit 71eb593 Author: Tobias Koppers <tobias.koppers@googlemail.com> Date: Tue Mar 24 07:22:53 2020 +0100 4.42.1 commit 7bc38d6 Merge: 5f65ecb a814ac9 Author: Tobias Koppers <tobias.koppers@googlemail.com> Date: Mon Mar 23 09:00:19 2020 +0100 Merge pull request webpack#10580 from jeffin143/update-mkdirp UPDATE mkdirp commit a814ac9 Author: Tobias Koppers <tobias.koppers@googlemail.com> Date: Sun Mar 22 13:16:50 2020 +0100 update lockfile commit f110b6e Author: jeffin143 <jeffinsam@karunya.edu.in> Date: Thu Mar 19 09:31:54 2020 +0530 UPDATE mkdirp commit 499b537 Author: Tobias Koppers <tobias.koppers@googlemail.com> Date: Thu Mar 12 15:36:39 2020 +0100 revert unneccessary changes commit c9bb7a9 Author: Mohsen Sadeghzade <hi@techiefor.fun> Date: Tue Mar 10 13:48:11 2020 -0800 Update snapshots of tests commit 4023e8c Author: Mohsen Sadeghzade <hi@techiefor.fun> Date: Mon Mar 9 06:15:51 2020 -0800 Update package.json, yarn.lock commit 2ca966c Author: Mohsen Sadeghzade <hi@techiefor.fun> Date: Sun Mar 8 22:30:25 2020 +0000 Update package.json Update version constraint Co-Authored-By: Gareth Jones <Jones258@Gmail.com> commit a7cfbfe Author: Mohsen Sadeghzade <hi@techiefor.fun> Date: Fri Mar 6 18:44:14 2020 -0800 Update package.json commit f97fedc Author: Mohsen Sadeghzade <hi@techiefor.fun> Date: Fri Mar 6 18:31:44 2020 -0800 Update package.json for tests commit 3320b9d Author: Mohsen Sadeghzade <hi@techiefor.fun> Date: Fri Mar 6 18:12:41 2020 -0800 Update on yarn.lock commit 0fe7c5a Author: Mohsen Sadeghzade <hi@techiefor.fun> Date: Sat Mar 7 02:06:08 2020 +0000 Update yarn.lock commit 6526134 Author: Mohsen Sadeghzade <hi@techiefor.fun> Date: Sat Mar 7 01:38:39 2020 +0000 Update package.json `acorn` version was outdated which made a security issue commit 5f65ecb Merge: 29d851b 994df0f Author: Tobias Koppers <tobias.koppers@googlemail.com> Date: Wed Mar 4 13:34:36 2020 +0100 Merge pull request webpack#10493 from jeffin143/fix-10489 fix :10489 - Backport to webpack 4: wasm: v128 support commit 994df0f Author: jeffin143 <jeffinsam@karunya.edu.in> Date: Wed Mar 4 13:28:30 2020 +0530 Order dependencies alphabetically commit a06807b Author: Sven Sauleau <github@sauleau.com> Date: Sat Feb 1 23:42:26 2020 +0000 fix :10489 - Backport to webpack 4: wasm: v128 support
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
https://npmjs.com/advisories/1179
#10561
webpack has a prototype pollution vulnerability down the tree and I'm going through and creating patches for the deps on this semver.
webpack/watchpack#148
paulmillr/chokidar#993
mapbox/node-pre-gyp#492
What kind of change does this PR introduce?
Updates the minor version of watchpack
Did you add tests for your changes?
Nein, not sure if this needs one.
Does this PR introduce a breaking change?
Nein, but the version of watchpack that is being added here does not technically exist yet, so checks will fail until then.
What needs to be documented once your changes are merged?
That this vulnerability has been patched.