New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update micromatch #2888
Update micromatch #2888
Conversation
@stylelint/core This dependency update has been floating around for a while. If anyone has time to throw some fresh eyes on it, that'd be great! |
i think the build errors would be fixed by #2936 - any objections to rebasing this off of |
Yep, rebase.
Appveyor is still likely to fail due to an incompatibility with how we're using micromatch and the windows platform. |
0a4db73
to
de8ab9b
Compare
ah, i see - i don't have a windows machine so i'm not going to be able to do much troubleshooting here. |
FWIW, versions of micromatch<3 still depend on a pre-v2 version of braces, which transitively depends on an older version of randomatic, for which
This is probably not too important in the context of stylelint but is at least a minor annoyance because npm now outputs vulnerability information after install/update/uninstall operations by default. |
Thanks @prettyv, I'll try to dig into this again soon 👍 |
As of v9.4.0, Here's the ┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Cryptographically Weak PRNG │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ randomatic │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ stylelint [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ stylelint > micromatch > braces > expand-range > fill-range │
│ │ > randomatic │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/157 │
└───────────────┴──────────────────────────────────────────────────────────────┘ Has anyone here informed the devs behind |
Hey guys, I created both randomatic and micromatch. Unless you're using micromatch to generate passwords or API tokens, I think it's safe to say that this is unlikely to actually be a concern. Randomatic optionally generates random strings, but the main use of the library has always been to generate strings that follow a certain pattern. For example, it was used in micromatch for simplifying how patterns are expanded in brace patterns. You could also use it to generate a pseudo-random string for mocking out unit tests for things like order numbers that follow a pattern, like That said, I do see the following string a lot in password examples: |
@Berkmann18 I installed stylelint@9.4.0 and didn't get any vulnerability warnings. Most likely one of the other packages you're using require vulnerable sub-dependency, which is in line with our sub-dependencies, and npm use vulnerable one. |
@jonschlinkert thank you for an explanation! @stylelint/contributors I tried to take a look at this update when I get chance to do it on Windows machine. Surprisingly I couldn't run tests on We have to take a look at this issue, as micromatch update is hanging for a very long time already. |
Related issues: micromatch/micromatch#132 |
Glob is converted to absolute path: stylelint/lib/augmentConfig.js Lines 110 to 111 in 6bfb948
But micromatch@3 does not support the absolute path of Windows style |
thanks @gucong3000.
To clarify, micromatch no longer converts backslashes in glob patterns to forward slashes. Micromatch 3.0 does handle and match Windows paths just fine.
Hope this helps. |
@jonschlinkert Many thanks for sharing this! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
Previously #2864
See the detailed issues in the previous PRs: #2691 #2753, #2597 and #2808