Alternative: override debug-fabulous + es5-ext to eliminate quarantined dependency#315067
Closed
jiridanek wants to merge 1 commit intomicrosoft:mainfrom
Closed
Alternative: override debug-fabulous + es5-ext to eliminate quarantined dependency#315067jiridanek wants to merge 1 commit intomicrosoft:mainfrom
jiridanek wants to merge 1 commit intomicrosoft:mainfrom
Conversation
debug-fabulous@2.0.69 dropped the memoizee dependency that pulled in es5-ext through the build tooling chain (gulp-sourcemaps). This eliminates es5-ext from devDependencies entirely. For the remaining production path (@microsoft/dev-tunnels-connections → websocket → es5-ext), override es5-ext with @unes/es5-ext@0.10.64-1, a community fork without the postinstall script. es5-ext is quarantined by Nexus Firewall (sonatype-2022-2248) due to undisclosed postinstall code execution. Fixes microsoft#310541 Co-authored-by: Cursor <cursoragent@cursor.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adjusts the root npm dependency resolution to reduce exposure to the quarantined es5-ext package by (1) overriding debug-fabulous to a newer release that drops the memoizee -> es5-ext toolchain path, and (2) overriding remaining es5-ext uses to the @unes/es5-ext fork.
Changes:
- Add npm
overridesfordebug-fabulous@^2.0.69andes5-ext→npm:@unes/es5-ext@0.10.64-1. - Update
package-lock.jsonto reflect the new resolution: removememoizee(and related transitive deps) and rewritees5-extoccurrences to@unes/es5-ext.
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| package.json | Adds dependency overrides for debug-fabulous and es5-ext to alter the transitive dependency graph. |
| package-lock.json | Updates the resolved dependency tree to reflect the new overrides (including removing memoizee and swapping es5-ext to @unes/es5-ext). |
| "node-addon-api": "7.1.0" | ||
| }, | ||
| "serialize-javascript": "^7.0.3", | ||
| "debug-fabulous": "^2.0.69", |
Contributor
Author
|
Closing in favor of #315063, which now uses the simpler |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Alternative to #315063 — instead of only aliasing es5-ext, this PR also upgrades debug-fabulous to v2.0.69 which dropped the
memoizeedependency that was the main consumer of es5-ext in the build tooling chain.Two overrides:
"debug-fabulous": "^2.0.69"— this version (published today) removedmemoizeeas a dependency, completely eliminating es5-ext from thegulp-sourcemaps→debug-fabulous→memoizee→es5-extchain. The entired/es6-*/esniff/timers-ext/lru-queuefamily is removed from the dependency tree."es5-ext": "npm:@unes/es5-ext@0.10.64-1"— still needed for the remaining production path:@microsoft/dev-tunnels-connections→es5-ext+websocket→es5-ext. Uses a community fork without the postinstall script.Why this may be preferred over #315063: The debug-fabulous override removes es5-ext from the build tooling tree entirely rather than aliasing it. Fewer transitive dependencies overall.
Fixes #310541
References
Made with Cursor