-
Notifications
You must be signed in to change notification settings - Fork 679
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Handling https-proxy-agent
GitHub security issue.
#2356
Handling https-proxy-agent
GitHub security issue.
#2356
Conversation
|
https-proxy-agent
GitHub security issue.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It works!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Coming to graphql-cli I have tried upgrading it to the latest version but, the deep dependency of https-proxy-agent is still 2.2.1. Not sure how to fix that.
If graphql-cli has not fixed their dependency on the vulnerable package and we use graphql-cli through yarn
we can utilize the "resolutions" in our root package.json. Be careful though because this forcefully requires all yarn dependencies to use that version if the package is listed as a dependency at any po9int in the tree. This means it is possible to introduce a breaking change to a package that was not upgraded, thus potentially breaking our use.
If you end up using resolutions
make sure to test out all places we use graphql-cli
.
|
Nice. I wasn't aware of this, thanks.
I have checked this, everything looks fine. Can you run through this yourself once to make sure I haven't missed anything? |
…revanth/https-proxy-agent-security-fix
We only use |
…ub.com/magento/pwa-studio into revanth/https-proxy-agent-security-fix
I figure @sirugh just wants to know we tested, which we did.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thank you @revanth0212 and @supernova-at for writing and maintaining as well. I think we should consider deprecating this, however, and replacing it with something that understands which files are actually being included in the bundle.
In my tests I noticed that this looks through the filesystem, and not the dependency chain. This means that it's gonna read both .ee.js
and .ce.js
files. As these proliferate, that will probably mean that any CE-based projects won't validate properly, because the validator is seeing .ee.js
files that aren't being included.
I recommend something like this instead:
- An extension!
@magento/pwa-studio-validate-queries
or something- It adds a command to
buildpack
, likebuildpack validate-queries
- Under the hood it runs a full build (with
--mode development
, for speed) - It adds the ESLint Webpack Plugin to the compiler, and configures it to use the ESLint GraphQL plugin we're currently using
- It adds a command to
- It needs some extension points opened up!
- A Target for adding Buildpack commands
- A Target for running a customized Webpack build with mode and plugin settings
- We'll have to decide how we download and maintain the schema. Should we continue using the GraphQLConfig ecosystem, or is it more trouble than it's worth?
@awilcoxa May I request that we backlog this issue? It would make the query validator script useful again. It would also reduce dependency bloat to modernize this feature, which would probably stabilize our project.
@revanth0212 Can you pls check the unit test failure (pwa-pr-test) packages/graphql-cli-validate-magento-pwa-queries/lib/tests/index.spec.js |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks for sleuthing that test result, @revanth0212
This might be a false positive. We haven't changed anything related to UI. This is more of ES Lint and build stuff. |
QA Pass. |
Performance Test Results The following fails have been reported by WebpageTest. These numbers indicates a possible performance issue with the PR which requires further manual testing to validate. https://pr-2356.pwa-venia.com/venia-tops.html : LH Performance Expected 0.75 Actual 0.74 |
Description
This fixes the
https-proxy-agent
security issue.https-proxy-agent
is a deep dependency of 3 of our dependencies:A GitHub security issue has been raised on
https-proxy-agent@2.2.3 and lower versions
.Lerna is being used in the
monorepo-introduction.js
script. @zetlen made changes to the files so we don't need lerna any more. Hence deprecating it.Also
danger
useshttps-proxy-agent@2.2.1
which is vulnerable as well. It will be moved out ofpwa-studio
into the CICD repo where it belongs in (PWA-543)[https://jira.corp.magento.com/browse/PWA-543].Coming to
graphql-cli
I have tried upgrading it to the latest version but, the deep dependency ofhttps-proxy-agent
is still2.2.1
. Not sure how to fix that.Related Issue
Closes PWA-531
Verification Stakeholders
@zetlen
Verification Steps
The root
package.json
has a"prepare"
script defined which runsscripts/monorepo-introduction.js
. NPM runs theprepare
script after every localyarn install
. The purpose ofscripts/monorepo-introduction.js
is to set up the development environment correctly for brand new checkouts, and to verify that all packages are prepared to build. To do so, it runs theprepare
script in all of the sub-packages that have one defined. It was using Lerna to do this, but now it doesn't need to.To verify that
scripts/monorepo-introduction.js
is still working correctly:Check out the branch and run
yarn install
.Observe that after the install completes, it logs:
This is the expected output of
scripts/monorepo-introduction.js
.Run
rm packages/graphql-cli-validate-magento-pwa-queries/lib/magento-compatibility.js
.Run
mv packages/venia-concept/.env packages/venia-concept/.env.temp
Run
yarn install
again. Observe that both of the removed files have been regenerated.Run
mv packages/venia-concept/.env.temp packages/venia-concept/.env
to restore your old.env
file.To verify that
scripts/monorepo-introduction.js
will run any newly definedprepare
step in a sub-package:packages/venia-concept/package.json
."prepare": "[[ 1 == 2 ]]",
to thescripts
section. (That's designed to fail on purpose.)yarn install
. Observe that it fails and displays an error.prepare
step frompackages/venia-concept/package.json
.Checklist
TODO