chore: update brotli-size version

[orisano]

This closes #294 and closes #298

Update brotli-size 0.0.1 to 0.0.3 for audit.

• brotli-size@0.0.1
  • iltorb@1.3.10
    • node-gyp@3.8.0
      • tar@2.2.1

tar has a vulnerability.

Description

update brotli-size 0.0.1 to 0.0.3 for audit.

• brotli-size@0.0.1
  • iltorb@1.3.10
    • node-gyp@3.8.0
      • tar@2.2.1

tar has a vulnerability.

Motivation and Context

npm install failed why tar has a vulnerability.

Screenshots (if appropriate):

Types of changes

• Version update

Checklist:

• My code follows the code style of this project.
• If my change requires a change to the documentation I have updated the documentation accordingly.
• I have read the CONTRIBUTING document.
• I created an issue for the Pull Request

[orisano]

What is the status of this PR?

[yosuke-furukawa]

our npm audit is always failed in this brotli-size version.
if this pr has no problem, we hope you to merge this PR and update npm version.

[giamir]

iltorb is now using the latest version of node-gyp (4.0.0).
nstepien/iltorb#88

Updating to brotli-size v. 0.0.3 should fix the vulnerability and make npm and yarn audit happy again.

Can you please merge this pull request and publish a new version of bundlesize?
Thanks a lot.

[rpellerin]

This would also bring support for NodeJS 12!

[rpellerin]

Can this be merged and published please?

[giamir]

Is there anything specific that block this pull request from being merged? Is there anything we can do to speed up the process? At work we would love to keep running bundlesize in our pipelines but now it's been almost a month that our security audits are failing.

[palashmon]

I can merge it but only @siddharthkp has permission to release a new npm version. So, I am waiting for his confirmation. I have also contacted him on twitter and he said that he will try to look into it this week. Thank you for your patience and understanding.

[palashmon]

Also, until then you can try to use:

https://www.npmjs.com/package/@condenast/bundlesize

which is a temporary forked version of this repo which includes this change (but with no guarantee of future support)

https://github.com/conde-nast-international/bundlesize/blob/36dcf48721c0cdfa7b4927d8d20c948a4afde8a4/package.json#L42

[cristianbote]

Hey @palashmon, if you can merge it, then we could use the git url for reference, inside our packages. Also @siddharthkp 🙏 #nopressure 😄.
I think github has started to rollout the vulnerability issue, due to https://nvd.nist.gov/vuln/detail/CVE-2018-20834, so this will only get worse.

[vinhlh]

Yo yo guys, should we merge it then

[rpellerin]

Any update on this?

[palashmon]

Hi @cristianbote, I have merged the PR. Hope it helps!
Could you please share how you are using git url as a dependency inside your package so that it might help others also? Thanks.

[cristianbote]

Hey @palashmon sure! All the information can be found in here as well https://docs.npmjs.com/files/package.json#git-urls-as-dependencies

TL;DR;

"devDependencies": {
  "bundlesize": "siddharthkp/bundlesize"
   ...
}

[giamir]

Is there a specific reason for not publishing a new version of the package in npm?
@SaraVieira @siddharthkp
I also take the occasion to thank you and all the contributors that make bundlesize available to all of us.

[siddharthkp]

Just published 0.17.2 with security patches