Handling https-proxy-agent GitHub security issue.
#2356
Conversation
revanth0212
added
the
version: Minor
|
revanth0212
changed the title
https-proxy-agent GitHub security issue.
m2-community-project
bot
moved this from Ready for Review
to Reviewer Approved
in Pull Request Progress
There was a problem hiding this comment.
Coming to graphql-cli I have tried upgrading it to the latest version but, the deep dependency of https-proxy-agent is still 2.2.1. Not sure how to fix that.
If graphql-cli has not fixed their dependency on the vulnerable package and we use graphql-cli through yarn we can utilize the "resolutions" in our root package.json. Be careful though because this forcefully requires all yarn dependencies to use that version if the package is listed as a dependency at any po9int in the tree. This means it is possible to introduce a breaking change to a package that was not upgraded, thus potentially breaking our use.
If you end up using resolutions make sure to test out all places we use graphql-cli.
m2-community-project
bot
moved this from Reviewer Approved
to Changes Requested
in Pull Request Progress
m2-community-project
bot
added
Progress: changes requested
and removed
Progress: approved
labels
|
|
Nice. I wasn't aware of this, thanks.
I have checked this, everything looks fine. Can you run through this yourself once to make sure I haven't missed anything? |
…revanth/https-proxy-agent-security-fix
|
We only use |
…ub.com/magento/pwa-studio into revanth/https-proxy-agent-security-fix
zetlen
dismissed
sirugh’s stale review
I figure @sirugh just wants to know we tested, which we did.
There was a problem hiding this comment.
LGTM, thank you @revanth0212 and @supernova-at for writing and maintaining as well. I think we should consider deprecating this, however, and replacing it with something that understands which files are actually being included in the bundle.
In my tests I noticed that this looks through the filesystem, and not the dependency chain. This means that it's gonna read both .ee.js and .ce.js files. As these proliferate, that will probably mean that any CE-based projects won't validate properly, because the validator is seeing .ee.js files that aren't being included.
I recommend something like this instead:
- An extension!
@magento/pwa-studio-validate-queriesor something- It adds a command to
buildpack, likebuildpack validate-queries - Under the hood it runs a full build (with
--mode development, for speed) - It adds the ESLint Webpack Plugin to the compiler, and configures it to use the ESLint GraphQL plugin we're currently using
- It adds a command to
- It needs some extension points opened up!
- A Target for adding Buildpack commands
- A Target for running a customized Webpack build with mode and plugin settings
- We'll have to decide how we download and maintain the schema. Should we continue using the GraphQLConfig ecosystem, or is it more trouble than it's worth?
@awilcoxa May I request that we backlog this issue? It would make the query validator script useful again. It would also reduce dependency bloat to modernize this feature, which would probably stabilize our project.
|
@revanth0212 Can you pls check the unit test failure (pwa-pr-test) packages/graphql-cli-validate-magento-pwa-queries/lib/tests/index.spec.js |
This might be a false positive. We haven't changed anything related to UI. This is more of ES Lint and build stuff. |
|
QA Pass. |
|
Performance Test Results The following fails have been reported by WebpageTest. These numbers indicates a possible performance issue with the PR which requires further manual testing to validate. https://pr-2356.pwa-venia.com/venia-tops.html : LH Performance Expected 0.75 Actual 0.74 |
m2-community-project
bot
moved this from Changes Requested
to Done
in Pull Request Progress
Description
This fixes the
https-proxy-agentsecurity issue.https-proxy-agentis a deep dependency of 3 of our dependencies:A GitHub security issue has been raised on
https-proxy-agent@2.2.3 and lower versions.Lerna is being used in the
monorepo-introduction.jsscript. @zetlen made changes to the files so we don't need lerna any more. Hence deprecating it.Also
dangeruseshttps-proxy-agent@2.2.1which is vulnerable as well. It will be moved out ofpwa-studiointo the CICD repo where it belongs in (PWA-543)[https://jira.corp.magento.com/browse/PWA-543].Coming to
graphql-cliI have tried upgrading it to the latest version but, the deep dependency ofhttps-proxy-agentis still2.2.1. Not sure how to fix that.Related Issue
Closes PWA-531
Verification Stakeholders
@zetlen
Verification Steps
The root
package.jsonhas a"prepare"script defined which runsscripts/monorepo-introduction.js. NPM runs thepreparescript after every localyarn install. The purpose ofscripts/monorepo-introduction.jsis to set up the development environment correctly for brand new checkouts, and to verify that all packages are prepared to build. To do so, it runs thepreparescript in all of the sub-packages that have one defined. It was using Lerna to do this, but now it doesn't need to.To verify that
scripts/monorepo-introduction.jsis still working correctly:Check out the branch and run
yarn install.Observe that after the install completes, it logs:
This is the expected output of
scripts/monorepo-introduction.js.Run
rm packages/graphql-cli-validate-magento-pwa-queries/lib/magento-compatibility.js.Run
mv packages/venia-concept/.env packages/venia-concept/.env.tempRun
yarn installagain. Observe that both of the removed files have been regenerated.Run
mv packages/venia-concept/.env.temp packages/venia-concept/.envto restore your old.envfile.To verify that
scripts/monorepo-introduction.jswill run any newly definedpreparestep in a sub-package:packages/venia-concept/package.json."prepare": "[[ 1 == 2 ]]",to thescriptssection. (That's designed to fail on purpose.)yarn install. Observe that it fails and displays an error.preparestep frompackages/venia-concept/package.json.Checklist
TODO