Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump up babel-cli version to fix security alert #3121

Merged
merged 4 commits into from Jun 8, 2019

Conversation

Projects
None yet
2 participants
@ackintosh
Copy link
Member

commented Jun 8, 2019

PR checklist

  • Read the contribution guidelines.
  • Ran the shell script under ./bin/ to update Petstore sample so that CIs can verify the change. (For instance, only need to run ./bin/{LANG}-petstore.sh, ./bin/openapi3/{LANG}-petstore.sh if updating the {LANG} (e.g. php, ruby, python, etc) code generator or {LANG} client's mustache templates). Windows batch files can be found in .\bin\windows\. If contributing template-only or documentation-only changes which will change sample output, be sure to build the project first.
  • Filed the PR against the correct branch: master, 4.1.x, 5.0.x. Default: master.
  • Copied the technical committee to review the pull request if your PR is targeting a particular programming language.

Description of the PR

Updated the babel-cli version to fix the alert below.

Regular Expression Denial of Service
https://www.npmjs.com/advisories/786

$ cd samples/client/petstore/javascript-flowtyped
$ npm audit

                       === npm audit security report ===

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ braces                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.3.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ babel-cli [dev]                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ babel-cli > chokidar > anymatch > micromatch > braces        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/786                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 low severity vulnerability in 6034 scanned packages
  1 vulnerability requires manual review. See the full report for details.

Used npx cli tool to know how we should update the package.json and .babelrc.

$ cd samples/client/petstore/javascript-flowtyped
$ npx babel-upgrade --write


🙌  Thanks for trying out https://github.com/babel/babel-upgrade !

Updating closest package.json dependencies
Index: /Users/akihito1/src/github.com/ackintosh/openapi-generator-1/samples/client/petstore/javascript-flowtyped/package.json
===================================================================
--- /Users/akihito1/src/github.com/ackintosh/openapi-generator-1/samples/client/petstore/javascript-flowtyped/package.json      Before Upgrade
+++ /Users/akihito1/src/github.com/ackintosh/openapi-generator-1/samples/client/petstore/javascript-flowtyped/package.json      After Upgrade
@@ -21,12 +21,13 @@
   "dependencies": {
     "portable-fetch": "^3.0.0"
   },
   "devDependencies": {
-    "babel-cli": "^6.26.0",
-    "babel-core": "^6.26.3",
-    "babel-plugin-transform-flow-strip-types": "^6.22.0",
+    "@babel/cli": "^7.0.0",
+    "@babel/core": "^7.0.0",
+    "@babel/plugin-transform-flow-strip-types": "^7.0.0",
     "babel-preset-react-app": "^3.1.1",
     "flow-copy-source": "^1.3.0",
-    "rimraf": "^2.6.2"
+    "rimraf": "^2.6.2",
+    "@babel/preset-flow": "^7.0.0"
   }
 }
\ No newline at end of file


Updating .babelrc config at .babelrc
Index: .babelrc
===================================================================
--- .babelrc    Before Upgrade
+++ .babelrc    After Upgrade
@@ -1,8 +1,9 @@
 {
   "presets": [
-    "react-app"
+    "react-app",
+    "@babel/preset-flow"
   ],
   "plugins": [
-    "transform-flow-strip-types"
+    "@babel/plugin-transform-flow-strip-types"
   ]
 }
\ No newline at end of file
@ackintosh

This comment has been minimized.

Copy link
Member Author

commented Jun 8, 2019

@wing328

wing328 approved these changes Jun 8, 2019

Copy link
Member

left a comment

LGTM

@wing328 wing328 merged commit 2a5a272 into OpenAPITools:master Jun 8, 2019

4 checks passed

Shippable Run 8592 status is SUCCESS.
Details
ci/circleci Your tests passed on CircleCI!
Details
continuous-integration/appveyor/pr AppVeyor build succeeded
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

@ackintosh ackintosh deleted the ackintosh:fix-security-alert branch Jun 9, 2019

fantavlik added a commit to fantavlik/openapi-generator that referenced this pull request Jun 17, 2019

Merge branch 'master' of github.com:OpenAPITools/openapi-generator in…
…to inline-resolver

* 'master' of github.com:OpenAPITools/openapi-generator: (213 commits)
  Idiomatic Rust returns for Error conversions (OpenAPITools#2812)
  Add API timeout handling (OpenAPITools#3078)
  Import inner items for map (OpenAPITools#3123)
  update core team in pom.xml (OpenAPITools#3126)
  [gradle] Document consuming via gradle plugin portal (OpenAPITools#3125)
  Bump up babel-cli version to fix security alert (OpenAPITools#3121)
  [C++] [cpprestsdk] Add examples and test for cpprestsdk (OpenAPITools#3109)
  Add enum support to `rust` and skip none option serialization in clients (OpenAPITools#2244)
  Add/update new core team member: etherealjoy (OpenAPITools#3116)
  Gradle sample on travis (OpenAPITools#3114)
  [typescript-fetch] add bearer token support (OpenAPITools#3097)
  Add Q_DECLARE_METATYPE to the generated models and remove ref in signals (OpenAPITools#3091)
  [Java][okhttp-gson] Update dependencies (OpenAPITools#3103)
  Link query parameter to model object (OpenAPITools#2710)
  scala-play-server: fix enum names for reserved words (OpenAPITools#3080)
  Add @Sunn to openapi generator core team (OpenAPITools#3105)
  fix NPE in go generator (OpenAPITools#3104)
  scala-play-server: fix API doc url (OpenAPITools#3096)
  [maven-plugin] fix strictSpec parameter without alias (OpenAPITools#3095)
  Ruby: Avoid double escaping path items (OpenAPITools#3093)
  ...

# Conflicts:
#	modules/openapi-generator/src/main/java/org/openapitools/codegen/InlineModelResolver.java
#	modules/openapi-generator/src/test/java/org/openapitools/codegen/InlineModelResolverTest.java

jimschubert added a commit to jimschubert/openapi-generator that referenced this pull request Jun 24, 2019

Merge branch 'master' into release-versioning-helper
* master: (25 commits)
  Add #send to ruby reserved word list (OpenAPITools#3146)
  Merge java8 doc for spring (OpenAPITools#3122)
  added api key authentication to aspnetcore 2.1 (OpenAPITools#3089)
  Add "yue9944882" to Perl technical committee (OpenAPITools#3194)
  [csharp-netcore]: Adding http response details in api_docs and making example snippet compilable (OpenAPITools#3128)
  generate travis configuration (OpenAPITools#3193)
  Perl: Basic bearer auth support (OpenAPITools#3192)
  [R] feat(r) : Alternate PR for serialization fixes along with WithHttpInfo method enhancement (OpenAPITools#3099)
  improve release checkout script (OpenAPITools#3184)
  Prepare 4.0.3-SNAPSHOT  (OpenAPITools#3185)
  4.0.2 release (OpenAPITools#3181)
  Fix rubocop obsolescence (OpenAPITools#3175)
  Add Fuse to the company list (OpenAPITools#3164)
  Idiomatic Rust returns for Error conversions (OpenAPITools#2812)
  Add API timeout handling (OpenAPITools#3078)
  Import inner items for map (OpenAPITools#3123)
  update core team in pom.xml (OpenAPITools#3126)
  [gradle] Document consuming via gradle plugin portal (OpenAPITools#3125)
  Bump up babel-cli version to fix security alert (OpenAPITools#3121)
  [C++] [cpprestsdk] Add examples and test for cpprestsdk (OpenAPITools#3109)
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.