Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Bump up babel-cli version to fix security alert #3121

Merged
merged 4 commits into from
Jun 8, 2019
Merged

Bump up babel-cli version to fix security alert #3121

merged 4 commits into from
Jun 8, 2019

Conversation

ackintosh
Copy link
Contributor

@ackintosh ackintosh commented Jun 8, 2019
edited
Loading

PR checklist

  • Read the contribution guidelines.
  • Ran the shell script under ./bin/ to update Petstore sample so that CIs can verify the change. (For instance, only need to run ./bin/{LANG}-petstore.sh, ./bin/openapi3/{LANG}-petstore.sh if updating the {LANG} (e.g. php, ruby, python, etc) code generator or {LANG} client's mustache templates). Windows batch files can be found in .\bin\windows\. If contributing template-only or documentation-only changes which will change sample output, be sure to build the project first.
  • Filed the PR against the correct branch: master, 4.1.x, 5.0.x. Default: master.
  • Copied the technical committee to review the pull request if your PR is targeting a particular programming language.

Description of the PR

Updated the babel-cli version to fix the alert below.

Regular Expression Denial of Service
https://www.npmjs.com/advisories/786

$ cd samples/client/petstore/javascript-flowtyped
$ npm audit

                       === npm audit security report ===

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ braces                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.3.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ babel-cli [dev]                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ babel-cli > chokidar > anymatch > micromatch > braces        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/786                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 low severity vulnerability in 6034 scanned packages
  1 vulnerability requires manual review. See the full report for details.

Used npx cli tool to know how we should update the package.json and .babelrc.

$ cd samples/client/petstore/javascript-flowtyped
$ npx babel-upgrade --write


🙌  Thanks for trying out https://github.com/babel/babel-upgrade !

Updating closest package.json dependencies
Index: /Users/akihito1/src/github.com/ackintosh/openapi-generator-1/samples/client/petstore/javascript-flowtyped/package.json
===================================================================
--- /Users/akihito1/src/github.com/ackintosh/openapi-generator-1/samples/client/petstore/javascript-flowtyped/package.json      Before Upgrade
+++ /Users/akihito1/src/github.com/ackintosh/openapi-generator-1/samples/client/petstore/javascript-flowtyped/package.json      After Upgrade
@@ -21,12 +21,13 @@
   "dependencies": {
     "portable-fetch": "^3.0.0"
   },
   "devDependencies": {
-    "babel-cli": "^6.26.0",
-    "babel-core": "^6.26.3",
-    "babel-plugin-transform-flow-strip-types": "^6.22.0",
+    "@babel/cli": "^7.0.0",
+    "@babel/core": "^7.0.0",
+    "@babel/plugin-transform-flow-strip-types": "^7.0.0",
     "babel-preset-react-app": "^3.1.1",
     "flow-copy-source": "^1.3.0",
-    "rimraf": "^2.6.2"
+    "rimraf": "^2.6.2",
+    "@babel/preset-flow": "^7.0.0"
   }
 }
\ No newline at end of file


Updating .babelrc config at .babelrc
Index: .babelrc
===================================================================
--- .babelrc    Before Upgrade
+++ .babelrc    After Upgrade
@@ -1,8 +1,9 @@
 {
   "presets": [
-    "react-app"
+    "react-app",
+    "@babel/preset-flow"
   ],
   "plugins": [
-    "transform-flow-strip-types"
+    "@babel/plugin-transform-flow-strip-types"
   ]
 }
\ No newline at end of file

@ackintosh
Copy link
Contributor Author

cc: @jaypea @CodeNinjai @frol @cliffano

@ackintosh ackintosh added this to the 4.0.2 milestone Jun 8, 2019
wing328
wing328 approved these changes Jun 8, 2019
View reviewed changes
Copy link
Member

@wing328 wing328 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@wing328 wing328 merged commit 2a5a272 into OpenAPITools:master Jun 8, 2019
@ackintosh ackintosh deleted the fix-security-alert branch June 9, 2019 02:57
fantavlik added a commit to fantavlik/openapi-generator that referenced this pull request Jun 17, 2019
@fantavlik
Merge branch 'master' of github.com:OpenAPITools/openapi-generator in…
091d48a 
…to inline-resolver

* 'master' of github.com:OpenAPITools/openapi-generator: (213 commits)
  Idiomatic Rust returns for Error conversions (OpenAPITools#2812)
  Add API timeout handling (OpenAPITools#3078)
  Import inner items for map (OpenAPITools#3123)
  update core team in pom.xml (OpenAPITools#3126)
  [gradle] Document consuming via gradle plugin portal (OpenAPITools#3125)
  Bump up babel-cli version to fix security alert (OpenAPITools#3121)
  [C++] [cpprestsdk] Add examples and test for cpprestsdk (OpenAPITools#3109)
  Add enum support to `rust` and skip none option serialization in clients (OpenAPITools#2244)
  Add/update new core team member: etherealjoy (OpenAPITools#3116)
  Gradle sample on travis (OpenAPITools#3114)
  [typescript-fetch] add bearer token support (OpenAPITools#3097)
  Add Q_DECLARE_METATYPE to the generated models and remove ref in signals (OpenAPITools#3091)
  [Java][okhttp-gson] Update dependencies (OpenAPITools#3103)
  Link query parameter to model object (OpenAPITools#2710)
  scala-play-server: fix enum names for reserved words (OpenAPITools#3080)
  Add @Sunn to openapi generator core team (OpenAPITools#3105)
  fix NPE in go generator (OpenAPITools#3104)
  scala-play-server: fix API doc url (OpenAPITools#3096)
  [maven-plugin] fix strictSpec parameter without alias (OpenAPITools#3095)
  Ruby: Avoid double escaping path items (OpenAPITools#3093)
  ...

# Conflicts:
#	modules/openapi-generator/src/main/java/org/openapitools/codegen/InlineModelResolver.java
#	modules/openapi-generator/src/test/java/org/openapitools/codegen/InlineModelResolverTest.java
jimschubert added a commit to jimschubert/openapi-generator that referenced this pull request Jun 24, 2019
@jimschubert
Merge branch 'master' into release-versioning-helper
16fbc63 
* master: (25 commits)
  Add #send to ruby reserved word list (OpenAPITools#3146)
  Merge java8 doc for spring (OpenAPITools#3122)
  added api key authentication to aspnetcore 2.1 (OpenAPITools#3089)
  Add "yue9944882" to Perl technical committee (OpenAPITools#3194)
  [csharp-netcore]: Adding http response details in api_docs and making example snippet compilable (OpenAPITools#3128)
  generate travis configuration (OpenAPITools#3193)
  Perl: Basic bearer auth support (OpenAPITools#3192)
  [R] feat(r) : Alternate PR for serialization fixes along with WithHttpInfo method enhancement (OpenAPITools#3099)
  improve release checkout script (OpenAPITools#3184)
  Prepare 4.0.3-SNAPSHOT  (OpenAPITools#3185)
  4.0.2 release (OpenAPITools#3181)
  Fix rubocop obsolescence (OpenAPITools#3175)
  Add Fuse to the company list (OpenAPITools#3164)
  Idiomatic Rust returns for Error conversions (OpenAPITools#2812)
  Add API timeout handling (OpenAPITools#3078)
  Import inner items for map (OpenAPITools#3123)
  update core team in pom.xml (OpenAPITools#3126)
  [gradle] Document consuming via gradle plugin portal (OpenAPITools#3125)
  Bump up babel-cli version to fix security alert (OpenAPITools#3121)
  [C++] [cpprestsdk] Add examples and test for cpprestsdk (OpenAPITools#3109)
  ...
@freemanchen freemanchen mentioned this pull request Jul 18, 2019
Closed
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@wing328 wing328 wing328 approved these changes

Assignees
No one assigned
Labels
Client: JavaScript/Node.js Issue: Security
Projects
None yet
Milestone
4.0.2
Development

Successfully merging this pull request may close these issues.
2 participants
@ackintosh @wing328