Listen for end events #36
Closed
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
|
kevinburke
force-pushed
the
listen-for-end-event
branch
from
585ba62 to
fe6bb2d
Compare
Codecov Report
@@ Coverage Diff @@
## master #36 +/- ##
====================================
Coverage 0% 0%
====================================
Files 7 7
Lines 372 384 +12
Branches 66 68 +2
====================================
- Misses 325 335 +10
- Partials 47 49 +2
Continue to review full report at Codecov.
|
kevinburke
force-pushed
the
listen-for-end-event
branch
6 times, most recently
from
0579453 to
ea7267d
Compare
kevinburke
added a commit
to sourcegraph/sourcegraph-public-snapshot
that referenced
this pull request
Oct 5, 2018
The thread-loader package starts several subprocesses. When you send a SIGINT to thread-loader, the subprocesses terminate, but the parent process hangs while waiting for them to send data. We were not listening for the 'end' event in the parent process which meant that the webpack processes would just hang forever. This is a problem because this blocks the shutdown of goreman which means we can have orphan processes and is, in general, a huge hassle when developing the codebase locally. Fix this by listening for an 'end' event, which means we can signal to Webpack that the job terminated with an error, instead of not terminating. This means that SIGINT will actually shut down the process instead of leaving it hanging forever. Fixes sourcegraph/sourcegraph#186. Updates webpack/thread-loader#33. Updates webpack/thread-loader#34. Updates webpack/thread-loader#35. Updates webpack/thread-loader#36.
Collaborator
|
@evilebottnawi you review this please? I have also found this issue in a simple use case #39 |
alexander-akait
requested changes
Dec 13, 2018
Member
alexander-akait
left a comment
alexander-akait
left a comment
There was a problem hiding this comment.
Other look good. Thanks!
.travis.yml
Outdated
| before_script: npm i --no-save git://github.com/webpack/webpack.git#master | ||
| script: npm run travis:$JOB_PART | ||
| node_js: 8 | ||
| node_js: 10 |
Member
There was a problem hiding this comment.
I think canary tests should be on minimum supported node, i.e. 6
Collaborator
|
@kevinburke can you check the review and change accordingly please? |
Member
|
@kevinburke Also please accept CLA |
This was referenced Dec 13, 2018
Closed
Merged
Author
|
I've signed the CLA. |
kevinburke
force-pushed
the
listen-for-end-event
branch
2 times, most recently
from
7939a4f to
e34202a
Compare
Collaborator
|
@kevinburke the build for this PR should become green after merging #44 After it gets merged, can you merge this branch with master so you can have a green CI before merging it? |
This was referenced Dec 14, 2018
Member
|
Need rebase, feel free to ping me when it is done or recreate the PR |
kevinburke
force-pushed
the
listen-for-end-event
branch
3 times, most recently
from
d9d54db to
63cc203
Compare
Attempting to run "npm install" on a new-ish Mac with Node v10.11 fails with a number of node-gyp compilation failures. Installing and using the latest versions of node-sass, nan, and fsevents resolves this failure, as each of those packages resolves the issues that led to problems. Update lodash to v4.17.11 to fix a security warning present in the Travis CI configuration. Add Node 10 to the build matrix so we can test for it. I am nervous about the number of changes to package-lock.json and I am not sure how to mitigate that - apparently NPM 6 changed the way requirements are stored in the file so we'll just have to do this at some point. npm/npm#20434
In the event that the read stream terminates before all of the data has been read, the pipe will send an 'end' event. We should listen for this event and hit the callback with it, instead of hanging forever. Added tests to verify this. Verified the patch fixes the problem by running the tests without the patch, observing that they timeout, then running the tests with the patch and verifying you get an error back.
kevinburke
force-pushed
the
listen-for-end-event
branch
from
63cc203 to
326045c
Compare
Author
|
I rebased but I'm not happy as I am not sure I can verify the changes in package-lock.json are correct. I submitted a change that just runs "dedupe" on its own, once that is merged maybe the diff here will be clearer. |
Member
|
@kevinburke you should not care about |
Member
=== npm audit security report ===
# Run npm update cryptiles --depth 9 to resolve 3 vulnerabilities
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Insufficient Entropy │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ cryptiles │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ jest [dev] │
├───────────────┼─────────────────────���────────────────────────────────────────┤
│ Path │ jest > jest-cli > jest-config > jest-environment-jsdom > │
│ │ jsdom > request > hawk > cryptiles │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/720 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Insufficient Entropy │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ cryptiles │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ jest [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ jest > jest-cli > jest-environment-jsdom > jsdom > request > │
│ │ hawk > cryptiles │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/720 │
└───────────────┴─────────────────���────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Insufficient Entropy │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ cryptiles │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ jest [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ jest > jest-cli > jest-runtime > jest-config > │
│ │ jest-environment-jsdom > jsdom > request > hawk > cryptiles │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/720 │
└───────────────┴──────────────────────────────────────────────────────────────┘
[!] 3 vulnerabilities found - Packages audited: 12018 (12010 dev, 291 optional)
Severity: 3 HighJust send a PR with updating deps |
Member
|
Try |
Author
|
I don’t have the time to audit every dependency update for correctness at
the moment, unfortunately. As I understand it dedupe does not change
dependency versions.
On Fri, Dec 14, 2018 at 11:26 Evilebot Tnawi ***@***.***> wrote:
Try rm -r package-lock.json && rm -r node_modules && npm i
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#36 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAOSI44X2G7sufZc9RSyG2RwyFdpLCeUks5u44rbgaJpZM4XJNWF>
.
--
Kevin Burke
phone: 925.271.7005 | kev.inburke.com
|
Member
|
@kevinburke no need audit dependencies just update this deps and all, need update |
Author
|
Apologies but as the combined-stream security issue last week demonstrated,
blindly updating every dependency without understanding what they do and
what’s changing is not a great philosophy nor is it one I agree with.
I audited the two packages I updated here. You are welcome to update every
dep separately but I don’t want my name attached to a commit that blindly
updates deps and introduces a security vulnerability or a defect.
On Fri, Dec 14, 2018 at 11:36 Evilebot Tnawi ***@***.***> wrote:
@kevinburke <https://github.com/kevinburke> no need audit dependencies
just update this deps and all
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#36 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAOSI9fJaooDkZdUl5jX07v1Rm3LmKl2ks5u440ogaJpZM4XJNWF>
.
--
Kevin Burke
phone: 925.271.7005 | kev.inburke.com
|
Collaborator
|
@kevinburke I think it's not realistic to think we can manually audit every dependency from our 3rd party dependencies as a project grows. What we should do, as in any matter of security, is to adopt the best standard procedures which I think we are already doing here running the |
Collaborator
|
@kevinburke I've opened a PR to bump the old used dependencies and just run |
Member
|
Need rebase |
Member
|
Done in #42, thanks for PRs and thanks for help |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In the event that the read stream terminates before all of the data
has been read, the pipe will send an 'end' event. We should listen for
this event and hit the callback with it, instead of hanging forever.
Added tests to verify this. Verified the patch fixes the problem by
running the tests without the patch, observing that they timeout, then
running the tests with the patch and verifying you get an error back.