audit(critical): handlebars@4.4.5 in package resolutions #6853
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
and update yarn.lock
resolves critical `yarn audit` issue due to:
https://www.npmjs.com/advisories/755
fixed formatting of `resolutions` package field using the following command:
node ./bin/prettier.js --write package.json
|
bad idea , npm don't support this, i use this just for testing |
but whatever version of handlebars is installed by Yarn would be bundled when the dist is build I tried building the dist, there seem to be no dependencies in the generated So I think this would be for the benefit of most users, who install from npm, would not affect installation from GitHub. Am I missing something here? |
|
Why not just update the lock file? |
package.json
Outdated
| @@ -13,6 +13,9 @@ | |||
| "engines": { | |||
| "node": ">=8" | |||
| }, | |||
| "resolutions": { | |||
| "handlebars": "4.4.5" | |||
| }, | |||
There was a problem hiding this comment.
Using resolutions is always bad idea, it helps in applications to broken/vuln dependency releases, but not in libraries or tools
Done. I just removed the resolutions field, evidently not needed now that yarn.lock is updated. Is there anything else I can do to help get this into Release 1.19 (#6469)? |
|
Thanks for the quick attention and merge! After the fact, I really should have updated the title to reflect the end result, which is just an update to yarn.lock. |
|
@brodybits @lydell Please revert this, every time I run |
|
@brodybits How did you update the lockfile? @fisker You could use |
|
Just look through the commits in this PR. Yarn updates the dependencies in
lock file if we add resolutions, which I think is good if we resolve audit
issue. Removing resolutions did not cause Yarn to do anything else in this
case.
I can take a better look in the next few hours if you have any more
questions. I really do not see what should be a problem here.
--
Sent from my mobile
|
|
Or maybe it would be less drastic to fix the lock file to use handlebars
4.1.2 rather than 4.4.5. This should still resolve the audit issue without
affecting anything else.
I would be happy take a look some to later today, if needed.
--
Sent from my mobile
|
|
@brodybits @lydell no need revert, sending a PR fix it |
4 tasks
|
6868, right?
It looks ok to me. Unfortunately I really do not understand what problem it
solves now and how it solves the problem.
--
Sent from my mobile
|
|
#6867 I don't know either, I ran yarn and check it, it's still new version. so I send it |
lipis
added a commit
that referenced
this pull request
Nov 8, 2019
* 'master' of github.com:prettier/prettier: (43 commits) Update `postcss-less` to v2 (#6778) Show invalid config filename in error message (#6865) Change external links to https (#6874) Bump @babel/parser from 7.7.0 to 7.7.2 (#6862) Fix nullish coalescing parenthesis with mixed logical operators (#6863) Remove handlebars@4.4.5 requirement in yarn.lock (#6867) Update browerslist in yarn.lock (#6868) fix formatting of comments in flow enums (#6860) better formatting for AwaitExpression in CallExpression/MemberExpression (#6856) Bump @typescript-eslint/typescript-estree from 2.6.0 to 2.6.1 (#6805) test: issue #6283 (#6855) audit(critical): handlebars@4.4.5 in package resolutions (#6853) Flow enums (#6833) Add mongo as a VS Code supported language (#6848) Bump `eslint` from 6.5.1 to 6.6.0 (#6846) Upgrade flow-parser from 0.89 to 0.111 (#6830) Bump @babel/preset-react from 7.6.3 to 7.7.0 in /website (#6827) Bump typescript from 3.7.1-rc to 3.7.2 (#6832) Bump rollup from 1.26.0 to 1.26.3 (#6821) update Babel to 7.7.0 and enable error recovery (#6816) ...
Shinigami92
pushed a commit
to Shinigami92/prettier
that referenced
this pull request
Nov 9, 2019
commit b091fd3 Author: Simon Lydell <simon.lydell@gmail.com> Date: Sat Nov 9 12:12:31 2019 +0100 Remove out-of-date comment commit 58c6b42 Author: Georgii Dolzhykov <thorn.mailbox@gmail.com> Date: Sat Nov 9 12:47:54 2019 +0200 fix formatting of union type as arrow function return type (prettier#6896) commit 8c3efeb Author: Simon Lydell <simon.lydell@gmail.com> Date: Sat Nov 9 01:44:53 2019 +0100 Try to fix some code blocks in 1.19.0 blog post commit 4eb3e26 Author: Simon Lydell <simon.lydell@gmail.com> Date: Sat Nov 9 01:23:57 2019 +0100 Blog post, changelog and docs for 1.19 (prettier#6787) commit 98d27c7 Author: Simon Lydell <simon.lydell@gmail.com> Date: Sat Nov 9 01:14:31 2019 +0100 Bump Prettier dependency to 1.19.0 commit e788e8d Author: Simon Lydell <simon.lydell@gmail.com> Date: Sat Nov 9 01:09:19 2019 +0100 Release 1.19.0 commit 057e15d Author: Simon Lydell <simon.lydell@gmail.com> Date: Sat Nov 9 01:00:06 2019 +0100 prettier 1.19.0-beta.1 commit 3fb111a Author: Georgii Dolzhykov <thorn.mailbox@gmail.com> Date: Sat Nov 9 01:12:32 2019 +0200 deduplicate entries in yarn.lock - part 2 (prettier#6884) commit 10c5c37 Author: Georgii Dolzhykov <thorn.mailbox@gmail.com> Date: Sat Nov 9 00:43:34 2019 +0200 deduplicate entries in yarn.lock (prettier#6882) * deduplicate entries in yarn.lock * revert changes for @babel/code-frame commit 361fd2d Author: Georgii Dolzhykov <thorn.mailbox@gmail.com> Date: Sat Nov 9 00:06:54 2019 +0200 fix printing bigint literals parsed by Flow (prettier#6883) commit ea70396 Author: Georgii Dolzhykov <thorn.mailbox@gmail.com> Date: Fri Nov 8 23:31:31 2019 +0200 Fix lost adjacent JSX when using Babel (prettier#6881) Bump @babel/parser to 7.7.3. Otherwise Prettier formats "<a/><b/>" to "<a/ >;". commit 7959b12 Author: Justin Ridgewell <jridgewell@google.com> Date: Fri Nov 8 15:25:38 2019 -0500 Don't require parens for same-operator logical expressions (prettier#6864) Multiple same-operator logical expressions do not require parentheses to disambiguate. commit 3618361 Author: fisker Cheung <lionkay@gmail.com> Date: Sat Nov 9 02:38:55 2019 +0800 Update `codecov` to v3.6.1 (prettier#6876) commit e1d30d6 Author: fisker Cheung <lionkay@gmail.com> Date: Sat Nov 9 02:37:56 2019 +0800 Update `@babel/core` to v7.7.2 (prettier#6877) commit d865eb5 Author: fisker Cheung <lionkay@gmail.com> Date: Sat Nov 9 02:37:41 2019 +0800 Update `flow-parser` to v0.111.3 (prettier#6878) commit ec65947 Author: fisker Cheung <lionkay@gmail.com> Date: Sat Nov 9 02:36:27 2019 +0800 Update `@rollup/plugin-replace` to v2.2.1 (prettier#6879) commit 460ea2f Author: fisker Cheung <lionkay@gmail.com> Date: Sat Nov 9 02:33:59 2019 +0800 Format `style[lang="css"]` (prettier#6875) commit 597dae8 Author: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Fri Nov 8 17:44:23 2019 +0100 Bump @babel/preset-env from 7.6.3 to 7.7.1 in /website (prettier#6826) Bumps [@babel/preset-env](https://github.com/babel/babel) from 7.6.3 to 7.7.1. - [Release notes](https://github.com/babel/babel/releases) - [Changelog](https://github.com/babel/babel/blob/master/CHANGELOG.md) - [Commits](babel/babel@v7.6.3...v7.7.1) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> Co-authored-by: null <27856297+dependabot-preview[bot]@users.noreply.github.com> commit d05be09 Author: fisker Cheung <lionkay@gmail.com> Date: Sat Nov 9 00:33:28 2019 +0800 Fix unpkg links in docs (prettier#6872) commit 85912a7 Author: fisker Cheung <lionkay@gmail.com> Date: Fri Nov 8 23:34:14 2019 +0800 Update `postcss-less` to v2 (prettier#6778) * Update `postcss-less` to v2 * fix less `custom-selectors` * fix less `custom-selectors` 2 * fix custom-selector `:` position * remove less hack * fix custom selector * cleanup * add changlog * add link * restore changlog * restore snap * restore snap * update postcss-custom-selectors detect * remove startsWith * trigger build * update `custom-selector` * add test and changelog * style * md * issue-4090-test * docs * Update CHANGELOG.unreleased.md Co-Authored-By: Georgii Dolzhykov <thorn.mailbox@gmail.com> * fix pr issue * fix * fix merge issue * insert new line * snap update * only support custom-selector in css * scss already parse it as custom-selector * remove `custom-selector` test in scss * link commit 91c5235 Author: fisker Cheung <lionkay@gmail.com> Date: Fri Nov 8 20:51:51 2019 +0800 Show invalid config filename in error message (prettier#6865) commit 304acbe Author: fisker Cheung <lionkay@gmail.com> Date: Fri Nov 8 19:49:32 2019 +0800 Change external links to https (prettier#6874) commit b06b42d Author: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Fri Nov 8 14:18:59 2019 +0300 Bump @babel/parser from 7.7.0 to 7.7.2 (prettier#6862) Bumps [@babel/parser](https://github.com/babel/babel) from 7.7.0 to 7.7.2. - [Release notes](https://github.com/babel/babel/releases) - [Changelog](https://github.com/babel/babel/blob/master/CHANGELOG.md) - [Commits](babel/babel@v7.7.0...v7.7.2) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> commit 8188876 Author: Justin Ridgewell <jridgewell@google.com> Date: Thu Nov 7 13:56:44 2019 -0500 Fix nullish coalescing parenthesis with mixed logical operators (prettier#6863) * Fix nullish coalescing with mixed logical operators parenthesis Mixing nullish coalescing (`??`) with the other logical operators (`&&` and `||`) requires parenthesis to disambiguate the inteded short circuiting. Without it, it's a `SyntaxError`. Earlier drafts of the spec allowed mixing, but it was disallowed when we reached Stage 3. See https://v8.dev/features/nullish-coalescing#mixing-and-matching-operators * Update changelog * Fixes and cleanup * Update changelog commit d4a7a47 Author: fisker Cheung <lionkay@gmail.com> Date: Thu Nov 7 18:33:24 2019 +0800 Remove handlebars@4.4.5 requirement in yarn.lock (prettier#6867) commit 5caa608 Author: fisker Cheung <lionkay@gmail.com> Date: Thu Nov 7 18:04:32 2019 +0800 Update browerslist in yarn.lock (prettier#6868) commit b9ab7e2 Author: Georgii Dolzhykov <thorn.mailbox@gmail.com> Date: Thu Nov 7 12:02:41 2019 +0200 fix formatting of comments in flow enums (prettier#6860) commit 54cbdb8 Author: Georgii Dolzhykov <thorn.mailbox@gmail.com> Date: Wed Nov 6 21:53:16 2019 +0200 better formatting for AwaitExpression in CallExpression/MemberExpression (prettier#6856) * better formatting for AwaitExpression nested in CallExpression or MemberExpression * update changelog commit 5458fb5 Author: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Wed Nov 6 20:45:09 2019 +0100 Bump @typescript-eslint/typescript-estree from 2.6.0 to 2.6.1 (prettier#6805) * Bump @typescript-eslint/typescript-estree from 2.6.0 to 2.6.1 Bumps [@typescript-eslint/typescript-estree](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-estree) from 2.6.0 to 2.6.1. - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/master/packages/typescript-estree/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v2.6.1/packages/typescript-estree) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> * add shim for path.extname commit 5992654 Author: Evilebot Tnawi <evilebottnawi@users.noreply.github.com> Date: Wed Nov 6 22:43:21 2019 +0300 test: issue prettier#6283 (prettier#6855) commit 4ed377a Author: Chris Brody <chris@brody.consulting> Date: Wed Nov 6 14:38:38 2019 -0500 audit(critical): handlebars@4.4.5 in package resolutions (prettier#6853) * audit(critical): handlebars@4.4.5 in package resolutions and update yarn.lock resolves critical `yarn audit` issue due to: https://www.npmjs.com/advisories/755 fixed formatting of `resolutions` package field using the following command: node ./bin/prettier.js --write package.json * and remove resolutions, not needed now that the lock file has been updated commit b23c6a2 Author: George Zahariev <gkz@fb.com> Date: Wed Nov 6 11:36:16 2019 -0800 Flow enums (prettier#6833) commit 16f2c97 Author: Aymeric Bouzy <8168981+aymericbouzy@users.noreply.github.com> Date: Wed Nov 6 15:57:49 2019 +0100 Add mongo as a VS Code supported language (prettier#6848) * Add mongo as a VS Code supported language * updated Changelog * fix spellcheck error * fix tests commit 4d9acf8 Author: fisker Cheung <lionkay@gmail.com> Date: Wed Nov 6 18:29:02 2019 +0800 Bump `eslint` from 6.5.1 to 6.6.0 (prettier#6846) commit e48a9df Author: George Zahariev <z@georgezahariev.com> Date: Tue Nov 5 22:50:32 2019 -0800 Upgrade flow-parser from 0.89 to 0.111 (prettier#6830) commit 2b22c7a Author: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Wed Nov 6 07:46:14 2019 +0100 Bump @babel/preset-react from 7.6.3 to 7.7.0 in /website (prettier#6827) Bumps [@babel/preset-react](https://github.com/babel/babel) from 7.6.3 to 7.7.0. - [Release notes](https://github.com/babel/babel/releases) - [Changelog](https://github.com/babel/babel/blob/master/CHANGELOG.md) - [Commits](babel/babel@v7.6.3...v7.7.0) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> Co-authored-by: null <27856297+dependabot-preview[bot]@users.noreply.github.com> commit d3fbdd9 Author: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Wed Nov 6 07:40:45 2019 +0100 Bump typescript from 3.7.1-rc to 3.7.2 (prettier#6832) Bumps [typescript](https://github.com/Microsoft/TypeScript) from 3.7.1-rc to 3.7.2. - [Release notes](https://github.com/Microsoft/TypeScript/releases) - [Commits](https://github.com/Microsoft/TypeScript/commits) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> Co-authored-by: null <27856297+dependabot-preview[bot]@users.noreply.github.com> commit c26f087 Author: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue Nov 5 23:45:28 2019 +0200 Bump rollup from 1.26.0 to 1.26.3 (prettier#6821) Bumps [rollup](https://github.com/rollup/rollup) from 1.26.0 to 1.26.3. - [Release notes](https://github.com/rollup/rollup/releases) - [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md) - [Commits](rollup/rollup@v1.26.0...v1.26.3) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> commit 1df4c17 Author: Georgii Dolzhykov <thorn.mailbox@gmail.com> Date: Tue Nov 5 21:08:41 2019 +0200 update Babel to 7.7.0 and enable error recovery (prettier#6816) commit 9d2f5e0 Author: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue Nov 5 19:08:14 2019 +0100 Bump terser-webpack-plugin from 2.1.3 to 2.2.1 (prettier#6819) Bumps [terser-webpack-plugin](https://github.com/webpack-contrib/terser-webpack-plugin) from 2.1.3 to 2.2.1. - [Release notes](https://github.com/webpack-contrib/terser-webpack-plugin/releases) - [Changelog](https://github.com/webpack-contrib/terser-webpack-plugin/blob/master/CHANGELOG.md) - [Commits](webpack-contrib/terser-webpack-plugin@v2.1.3...v2.2.1) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> Co-authored-by: null <27856297+dependabot-preview[bot]@users.noreply.github.com>
lock
bot
added
the
locked-due-to-inactivity
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
resolves critical
yarn auditissue due to: https://www.npmjs.com/advisories/755without causing any regressions (failures) in the existing test suite
I hope this update can be part of the release 1.19 checklist (#6469).
docs/directory)CHANGELOG.unreleased.mdfile following the template.✨Try the playground for this PR✨