Meeting - 5/12/2021

[iansu]

Agenda

• News/announcements
• Review previous action items
• Advisory for v7 postcss/postcss#1574
• Use "paths" in tsconfig.json and jsconfig.json facebook/create-react-app#10014

Attendees

• @iansu
• @mrmckeb
• @darcyclarke
• @ianschmitz

Notes

• Advisory for v7 postcss/postcss#1574
  • Use PostCSS 8 in next version, possibly in 4.1 as well
• Consider starting regularly scheduled triage sessions
  • Schedule for off weeks on Wednesday
• Paths support
  • Use "paths" in tsconfig.json and jsconfig.json facebook/create-react-app#10014
  • See if we can ship with 4.1
• Start ticketing v5 work

Previous Action Items

• Ask about notifications for GitHub Discussions (@iansu)
• Build a new test suite that runs on GitHub Actions (@mrmckeb)
• Create new CLI (@iansu)
• Review swag production options
• Follow up with Google about WebWorker PR (@iansu)
• Talk to Facebook Open Source about T-shirts and swag (@iansu)
• Remove Jack from accounts (@iansu)
• Make sure the team has access to Azure DevOps (@iansu)
• Set up Open Collective (@iansu)
• Add maintainer info to README (@iansu)
• Find out what other projects are using react-dev-utils/openBrowser (@iansu)
• Fix and force-push master (@iansu)
• Don't swallow stack traces on warnings (@gaearon)
• Investigate how other similar projects handle testing (@ianschmitz)
• Lock down force pushing to master (@gaearon)
• Look into enabling canary releases (@ianschmitz)
• Come up with a list of potential Open Collective donors (@iansu)
• Talk to Dan about getting access to the eject survey (@iansu)
• Document triaging process (@iansu)
• Document PR process (@iansu)
• Create maintainer onboarding document (@iansu)

Action Items

• Ask about notifications for GitHub Discussions (@iansu)
• Build a new test suite that runs on GitHub Actions (@mrmckeb)
• Create new CLI (@iansu)
• Review swag production options
• Follow up with Google about WebWorker PR (@iansu)
• Talk to Facebook Open Source about T-shirts and swag (@iansu)
• Remove Jack from accounts (@iansu)
• Make sure the team has access to Azure DevOps (@iansu)
• Set up Open Collective (@iansu)
• Add maintainer info to README (@iansu)
• Find out what other projects are using react-dev-utils/openBrowser (@iansu)
• Fix and force-push master (@iansu)
• Don't swallow stack traces on warnings (@gaearon)
• Investigate how other similar projects handle testing (@ianschmitz)
• Lock down force pushing to master (@gaearon)
• Look into enabling canary releases (@ianschmitz)
• Come up with a list of potential Open Collective donors (@iansu)
• Talk to Dan about getting access to the eject survey (@iansu)
• Document triaging process (@iansu)
• Document PR process (@iansu)
• Create maintainer onboarding document (@iansu)

Details

May 12, 2021 10:00am Pacific
https://www.timeanddate.com/worldclock/fixedtime.html?msg=Create+React+App+maintainers+meeting&iso=20210512T17&p1=1440

Zoom: https://zoom.us/j/163553316

[xi1570-krupeshanadkat]

I guess May 12 has passed long time ago. Please make the releases, postcss shows lot of

# npm audit report

postcss  7.0.0 - 8.2.9
Severity: moderate
Regular Expression Denial of Service - https://npmjs.com/advisories/1693
fix available via `npm audit fix --force`
Will install parcel-bundler@1.10.3, which is a breaking change
node_modules/postcss
node_modules/purgecss/node_modules/postcss
  css-declaration-sorter  4.0.0 - 5.1.2
  Depends on vulnerable versions of postcss
  node_modules/css-declaration-sorter
  cssnano  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.1.1 - 4.1.11
  Depends on vulnerable versions of postcss
  node_modules/cssnano
    htmlnano  >=0.2.2
    Depends on vulnerable versions of cssnano
    Depends on vulnerable versions of purgecss
    Depends on vulnerable versions of uncss
    node_modules/htmlnano
      parcel-bundler  >=1.11.0
      Depends on vulnerable versions of htmlnano
      Depends on vulnerable versions of postcss
      node_modules/parcel-bundler
  cssnano-preset-default  <=4.0.0-rc.2 || 4.0.1 - 4.0.8
  Depends on vulnerable versions of cssnano-util-raw-cache
  Depends on vulnerable versions of postcss
  Depends on vulnerable versions of postcss-minify-gradients
  node_modules/cssnano-preset-default
  cssnano-util-raw-cache  >=4.0.1
  Depends on vulnerable versions of postcss
  node_modules/cssnano-util-raw-cache
  postcss-calc  6.0.2 - 7.0.5
  Depends on vulnerable versions of postcss
  node_modules/postcss-calc
  postcss-colormin  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.2 - 4.0.3
  Depends on vulnerable versions of postcss
  node_modules/postcss-colormin
  postcss-convert-values  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-convert-values
  postcss-discard-comments  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-discard-comments
  postcss-discard-duplicates  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-discard-duplicates
  postcss-discard-empty  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-discard-empty
  postcss-discard-overridden  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-discard-overridden
  postcss-merge-longhand  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.6 - 4.0.11
  Depends on vulnerable versions of postcss
  node_modules/postcss-merge-longhand
  postcss-merge-rules  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.2 - 4.0.3
  Depends on vulnerable versions of postcss
  node_modules/postcss-merge-rules
  postcss-minify-font-values  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-minify-font-values
  postcss-minify-gradients  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-minify-gradients
  postcss-minify-params  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-minify-params
  postcss-minify-selectors  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-minify-selectors
  postcss-normalize-charset  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-normalize-charset
  postcss-normalize-display-values  <=4.0.0-rc.2 || 4.0.1 - 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-normalize-display-values
  postcss-normalize-positions  <=4.0.0-rc.2 || 4.0.1 - 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-normalize-positions
  postcss-normalize-repeat-style  <=4.0.0-rc.2 || 4.0.1 - 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-normalize-repeat-style
  postcss-normalize-string  <=4.0.0-rc.2 || 4.0.1 - 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-normalize-string
  postcss-normalize-timing-functions  <=4.0.0-rc.2 || 4.0.1 - 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-normalize-timing-functions
  postcss-normalize-unicode  <=4.0.0-rc.2 || 4.0.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-normalize-unicode
  postcss-normalize-url  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-normalize-url
  postcss-normalize-whitespace  <=4.0.0-rc.2 || 4.0.1 - 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-normalize-whitespace
  postcss-ordered-values  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.1.1 - 4.1.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-ordered-values
  postcss-reduce-initial  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.2 - 4.0.3
  Depends on vulnerable versions of postcss
  node_modules/postcss-reduce-initial
  postcss-reduce-transforms  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-reduce-transforms
  postcss-svgo  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.3
  Depends on vulnerable versions of postcss
  node_modules/postcss-svgo
  postcss-unique-selectors  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-unique-selectors
  purgecss  1.1.0 - 3.0.0
  Depends on vulnerable versions of postcss
  node_modules/purgecss
  stylehacks  4.0.0-nightly.2020.1.9 - 4.0.0-rc.2 || 4.0.1 - 4.0.3
  Depends on vulnerable versions of postcss
  node_modules/stylehacks
  uncss  >=0.17.0
  Depends on vulnerable versions of postcss
  node_modules/uncss

37 moderate severity vulnerabilities

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

There are so many people facing same issues

1. PostCSS 8 facebook/create-react-app#9664
2. https://stackoverflow.com/questions/67501746/postcss-7-0-0-8-2-9-severity-moderate-regular-expression-denial-of-service
3. https://stackoverflow.com/questions/67654812/npm-audit-on-project-gives-many-errors
4. https://www.gitmemory.com/issue/facebook/create-react-app/9641/705726302

😓

[mccright]

Yes. Many are facing this issue.
I work for an AppSec department at a global financial services corporation that has small armies of compliance personnel who care a lot about this collection of vulnerabilities. In the current context, that results in largely wasted/unproductive work.
Across the globe, the development teams that I support must deploy safe-enough software. Even under the best of conditions, this is a serious challenge.
Please get this upgrade completed and deployed. There are real, material costs (to say nothing about the exploit risks) to the extended period required to purge this collection of vulnerabilities.

[peiris]

Pretty please, What's the update of this?

[mrmckeb]

I've created this PR to resolve this:
facebook/create-react-app#11121

Hopefully we'll have this out for 4.1. Please keep all other discussion in the related thread - facebook/create-react-app#9664

Thanks!