Merge pull request #3298 from microsoft/octogonz/minimist-vulnerability

[rush] Upgrade "tar" dependency to eliminate (spurious) security warning
microsoft · Apr 23, 2022 · 817658b · 817658b
2 parents 46a8ff5 + 9d301ee
commit 817658b
Show file tree

Hide file tree

Showing 7 changed files with 38 additions and 24 deletions.
diff --git a/common/changes/@microsoft/rush/octogonz-minimist-vulnerability_2022-03-28-01-51.json b/common/changes/@microsoft/rush/octogonz-minimist-vulnerability_2022-03-28-01-51.json
@@ -0,0 +1,10 @@
+{
+  "changes": [
+    {
+      "packageName": "@microsoft/rush",
+      "comment": "Upgrade \"tar\" dependency to eliminate spurious security vulnerability for \"minimist\" package",
+      "type": "none"
+    }
+  ],
+  "packageName": "@microsoft/rush"
+}
diff --git a/common/changes/@rushstack/eslint-patch/octogonz-minimist-vulnerability_2022-04-23-01-50.json b/common/changes/@rushstack/eslint-patch/octogonz-minimist-vulnerability_2022-04-23-01-50.json
@@ -0,0 +1,10 @@
+{
+  "changes": [
+    {
+      "packageName": "@rushstack/eslint-patch",
+      "comment": "",
+      "type": "none"
+    }
+  ],
+  "packageName": "@rushstack/eslint-patch"
+}
diff --git a/common/config/rush/pnpm-lock.yaml b/common/config/rush/pnpm-lock.yaml
diff --git a/common/config/rush/repo-state.json b/common/config/rush/repo-state.json
@@ -1,5 +1,5 @@
 // DO NOT MODIFY THIS FILE MANUALLY BUT DO COMMIT IT. It is generated and used by Rush.
 {
-  "pnpmShrinkwrapHash": "44e287c291a5be7f5288a83d7e7d1c5087f8e9d7",
+  "pnpmShrinkwrapHash": "b896155b14345a8cc8e4bee41c8f067227e1cfe4",
   "preferredVersionsHash": "d2a5d015a5e5f4861bc36581c3c08cb789ed7fab"
 }
diff --git a/eslint/eslint-patch/src/usage.ts b/eslint/eslint-patch/src/usage.ts
@@ -6,4 +6,4 @@ throw new Error(
     ' See README.md for usage instructions.'
 );
 
-export {};
+export {};
diff --git a/libraries/rush-lib/package.json b/libraries/rush-lib/package.json
@@ -52,7 +52,7 @@
     "ssri": "~8.0.0",
     "strict-uri-encode": "~2.0.0",
     "tapable": "2.2.1",
-    "tar": "~5.0.10",
+    "tar": "~6.1.11",
     "true-case-path": "~2.2.1"
   },
   "devDependencies": {
@@ -74,7 +74,7 @@
     "@types/semver": "7.3.5",
     "@types/ssri": "~7.1.0",
     "@types/strict-uri-encode": "2.0.0",
-    "@types/tar": "4.0.3"
+    "@types/tar": "6.1.1"
   },
   "publishOnlyDependencies": {
     "@rushstack/rush-amazon-s3-build-cache-plugin": "workspace:*",

diff --git a/rush-plugins/rush-azure-storage-build-cache-plugin/src/AzureStorageAuthentication.ts b/rush-plugins/rush-azure-storage-build-cache-plugin/src/AzureStorageAuthentication.ts
@@ -103,7 +103,10 @@ export class AzureStorageAuthentication {
    * @param onlyIfExistingCredentialExpiresAfter - If specified, and a cached credential exists that is still valid
    * after the date specified, no action will be taken.
    */
-  public async updateCachedCredentialInteractiveAsync(terminal: ITerminal, onlyIfExistingCredentialExpiresAfter?: Date): Promise<void> {
+  public async updateCachedCredentialInteractiveAsync(
+    terminal: ITerminal,
+    onlyIfExistingCredentialExpiresAfter?: Date
+  ): Promise<void> {
     await CredentialCache.usingAsync(
       {
         supportEditing: true
@@ -113,7 +116,10 @@ export class AzureStorageAuthentication {
           const existingCredentialExpiration: Date | undefined = credentialsCache.tryGetCacheEntry(
             this._credentialCacheId
           )?.expires;
-          if (existingCredentialExpiration && existingCredentialExpiration > onlyIfExistingCredentialExpiresAfter) {
+          if (
+            existingCredentialExpiration &&
+            existingCredentialExpiration > onlyIfExistingCredentialExpiresAfter
+          ) {
             return;
           }
         }