Skip to content

/ ethereum-remote-client

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

base yarn.lock off upstream #46

Merged
merged 5 commits into from Aug 14, 2019
Merged

base yarn.lock off upstream #46

merged 5 commits into from Aug 14, 2019

Conversation

@cg505
Copy link
Contributor

cg505 commented Aug 13, 2019
edited

This PR reverts to the yarn.lock provided by metamask, and then makes the changes we need for things to work and to avoid vulnerabilities.

This fixes the issues with yarn test:unit. It also fixes the issues with material-ui throwing a fit about react 16 when using yarn dev:brave. Finally, it fixes the weird infura network errors that prevent some stuff from working (like loading erc20 tokens).

There are 10 low-severity vulnerabilities left after these changes.

  • 3 are web3, for which a patch hasn't been released.
  • 2 are marked, and 5 are braces. These can't be resolved without heavy modification to the dependency tree. I tried.
    These are all also present in master, except for the marked package that jsdoc depends on (which is present anyway via another package).

The commits are separated to make this easier to review. The first commit can be ignored, it just copies the yarn.lock from metamask. The other commits are incremental changes that you should be able to make sense of.
@cg505 cg505 requested review from bbondy and ryanml Aug 13, 2019
cg505 added 5 commits Aug 13, 2019
@cg505
revert yarn.lock to metamask/master
995c274 
This yarn.lock is broken/doesn't correspond with package.json, but
having this commit makes the following commits (which diverge from
upstream) much clearer.
@cg505
automatically update yarn.lock based on changes to package.json
aae719e 
This is basically just `yarn && git add yarn.lock && git commit`. We
hold @material-ui/core at 1.0.0 because this is what upstream does,
and moving it to 1.5.3 or whatever seriously breaks things. (It
expects React 16.) Holding @material-ui/core at 1.0.0 does not cause
vulnerability problems.

This yarn.lock has plenty of security vulnerabilities that will be
resolved in the following commits.
@cg505
make simple fixes to high severity dependency vulnerabilities
d4d4bda 
This upgrades set-value, mixin-deep, and union-value to avoid
vulnerabilities in set-value and mixin-deep.
@cg505
upgrade snyk to 1.209.0 to avoid lodash vulnerability
dab3580 
snyk-mvn-plugin has a hard dependency on lodash 4.17.11, which has a
high-severity vulnerability. To upgrade to a version that uses a newer
version of lodash, we must upgrade snyk to >= 1.209.0.
@cg505
upgrade ganache-core 2.5.7 -> 2.6.1 to avoid vuln in lodash
Loading status checks…
034c97e 
ganache-core ~2.5.7 has a hard dependency on lodash 4.17.11, which has
a high-severity vulnerablity. We can upgrade to ganache-core 2.6.1 to
resolve the issue and finally remove the vulnerable version of lodash
from the dependency tree.
@cg505 cg505 force-pushed the fix-yarn-lock branch from 4b21a92 to 034c97e Aug 13, 2019
@bbondy
bbondy approved these changes Aug 14, 2019
View changes
@bbondy
Copy link
Member

bbondy commented Aug 14, 2019

Thanks, nice work.
@bbondy bbondy merged commit b9f4020 into master Aug 14, 2019
1 check failed
1 check failed
Travis CI - Pull Request Build Errored
Details
@cg505 cg505 deleted the fix-yarn-lock branch Aug 14, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bbondy bbondy

@ryanml ryanml

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Linked issues

Successfully merging this pull request may close these issues.

None yet

2 participants
@cg505 @bbondy
You can’t perform that action at this time.