Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Upgrade to set-value@^4.0.1 #16

Merged
merged 1 commit into from
Oct 5, 2021
Merged

Upgrade to set-value@^4.0.1 #16

merged 1 commit into from
Oct 5, 2021

Conversation

jeffsays
Copy link
Contributor

@jeffsays jeffsays commented Oct 5, 2021

Summary

resolve CVE-2021-23440 by upgrading set-value to ^4.0.1
resolve CVE-2021-3803 by using CumulusDS/flow-coverage-report

Details

Fixing in upstream dependencies is complicated because of changing semantics in set-value when setting the undefined value on objects.
See jonschlinkert/cache-base#22 (comment)

It is safe enough for us to override the set-value package version using package.json resolutions.

Testing

The set-value dependency only used in the dev infrastructure, not production code. A green build should give us enough confidence to accept this change.

@jeffsays jeffsays added the dependencies Pull requests that update a dependency file label Oct 5, 2021
@jeffsays jeffsays self-assigned this Oct 5, 2021
@github-actions
Copy link

github-actions bot commented Oct 5, 2021

yarn.lock changes

Summary

Status Count
ADDED 29
UPDATED 67
DOWNGRADED 1
REMOVED 8
Click to toggle table visibility
Name Status Previous Current
@babel/code-frame UPDATED 7.12.11 7.14.5
@babel/generator UPDATED 7.12.11 7.15.4
@babel/helper-function-name UPDATED 7.12.11 7.15.4
@babel/helper-get-function-arity UPDATED 7.12.10 7.15.4
@babel/helper-hoist-variables UPDATED 7.0.0 7.15.4
@babel/helper-split-export-declaration UPDATED 7.12.11 7.15.4
@babel/helper-validator-identifier UPDATED 7.12.11 7.15.7
@babel/highlight UPDATED 7.10.4 7.14.5
@babel/parser UPDATED 7.12.11 7.15.7
@babel/runtime UPDATED 7.12.5 7.15.4
@babel/template UPDATED 7.12.7 7.15.4
@babel/types UPDATED 7.12.12 7.15.6
@cumulusds/badge-up ADDED - 2.3.0
@cumulusds/flow-annotation-check ADDED - 1.11.5
@cumulusds/flow-coverage-report ADDED - 0.8.1
@eslint/eslintrc ADDED - 0.4.3
@humanwhocodes/config-array ADDED - 0.5.0
@humanwhocodes/object-schema ADDED - 1.2.0
@rpl/badge-up REMOVED 2.2.0 -
@trysound/sax ADDED - 0.2.0
@types/q REMOVED 1.5.4 -
acorn-jsx UPDATED 5.3.1 5.3.2
ajv UPDATED 6.12.6 8.6.3
ansi-colors ADDED - 4.1.1
ansi-regex UPDATED 5.0.0 5.0.1
argparse UPDATED 1.0.10 2.0.1
array.prototype.find UPDATED 2.1.1 2.1.2
astral-regex UPDATED 1.0.0 2.0.0
call-bind UPDATED 1.0.0 1.0.2
coa REMOVED 2.0.2 -
commander UPDATED 6.2.0 7.2.0
css-color-names UPDATED 0.0.4 1.0.1
css-select-base-adapter REMOVED 0.1.1 -
css-select UPDATED 2.1.0 4.1.3
css-tree UPDATED 1.1.2 1.1.3
css-what UPDATED 3.4.2 5.0.1
dom-serializer UPDATED 0.2.2 1.3.2
domelementtype UPDATED 2.1.0 2.2.0
domhandler ADDED - 4.2.2
domutils UPDATED 1.7.0 2.8.0
enquirer ADDED - 2.3.6
entities UPDATED 2.1.0 2.2.0
es-abstract UPDATED 1.18.0-next.1 1.19.1
escape-string-regexp UPDATED 2.0.0 4.0.0
eslint-utils UPDATED 1.4.3 2.1.0
eslint-visitor-keys UPDATED 1.3.0 2.1.0
eslint UPDATED 6.8.0 7.32.0
espree UPDATED 6.2.1 7.3.1
esquery UPDATED 1.3.1 1.4.0
file-entry-cache UPDATED 5.0.1 6.0.1
flat-cache UPDATED 2.0.1 3.0.4
flatted UPDATED 2.0.2 3.2.2
flow-annotation-check REMOVED 1.11.4 -
flow-coverage-report REMOVED 0.8.0 -
get-intrinsic UPDATED 1.0.1 1.1.1
get-symbol-description ADDED - 1.0.0
glob UPDATED 7.1.6 7.2.0
globals UPDATED 12.4.0 13.11.0
has-bigints ADDED - 1.0.1
has-symbols UPDATED 1.0.1 1.0.2
has-tostringtag ADDED - 1.0.0
import-fresh UPDATED 3.2.2 3.3.0
internal-slot ADDED - 1.0.3
is-bigint ADDED - 1.0.4
is-boolean-object ADDED - 1.1.2
is-callable UPDATED 1.2.2 1.2.4
is-number-object ADDED - 1.0.6
is-primitive ADDED - 3.0.1
is-regex UPDATED 1.1.1 1.1.4
is-shared-array-buffer ADDED - 1.0.1
is-string ADDED - 1.0.7
is-symbol UPDATED 1.0.2 1.0.4
is-weakref ADDED - 1.0.1
json-schema-traverse UPDATED 0.4.1 1.0.0
levn UPDATED 0.3.0 0.4.1
lodash.clonedeep ADDED - 4.5.0
lodash.merge ADDED - 4.6.2
lodash.truncate ADDED - 4.4.2
nanocolors ADDED - 0.1.12
nth-check UPDATED 1.0.2 2.0.1
object-inspect UPDATED 1.9.0 1.11.0
optionator UPDATED 0.8.3 0.9.1
parse-json UPDATED 5.1.0 5.2.0
prelude-ls UPDATED 1.1.2 1.2.1
q REMOVED 1.5.1 -
regenerator-runtime UPDATED 0.13.7 0.13.9
regexpp UPDATED 2.0.1 3.2.0
require-from-string ADDED - 2.0.2
sax DOWNGRADED 1.2.4 1.2.1
set-value UPDATED 2.0.1 4.1.0
side-channel ADDED - 1.0.4
slice-ansi UPDATED 2.1.0 4.0.0
string-width UPDATED 4.2.0 4.2.3
string.prototype.trimend UPDATED 1.0.3 1.0.4
string.prototype.trimstart UPDATED 1.0.3 1.0.4
strip-ansi UPDATED 6.0.0 6.0.1
svgo UPDATED 1.3.2 2.7.0
table UPDATED 5.4.6 6.7.2
type-check UPDATED 0.3.2 0.4.0
type-fest UPDATED 0.11.0 0.20.2
unbox-primitive ADDED - 1.0.1
unquote REMOVED 1.1.1 -
which-boxed-primitive ADDED - 1.0.2
y18n UPDATED 5.0.5 5.0.8
yargs-parser UPDATED 20.2.4 20.2.9

joshuanapoli
joshuanapoli approved these changes Oct 5, 2021
View reviewed changes
Copy link
Contributor

@joshuanapoli joshuanapoli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you. Merge away!

@jeffsays jeffsays merged commit df135ce into master Oct 5, 2021
@jeffsays jeffsays deleted the resolutions-set-value-4.0.1 branch October 5, 2021 22:38
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@joshuanapoli joshuanapoli joshuanapoli approved these changes

@birdie697 birdie697 birdie697 approved these changes

@only1chi only1chi Awaiting requested review from only1chi

@SurajGutti SurajGutti Awaiting requested review from SurajGutti

Assignees

@jeffsays jeffsays

Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jeffsays @joshuanapoli @birdie697