Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: update async dependency where possible #5387

Merged
merged 5 commits into from
Apr 19, 2022

Conversation

jlperkins
Copy link
Contributor

@jlperkins jlperkins commented Apr 18, 2022

Details

This PR partially addresses this dependabot alert about using a vulnerable version of "async." Where possible, it updates the dependencies we have that rely on async and bumps them to use a current, secure version of the package. For the case where this is not possible, choosing to leave the too-low version in for now, as there are two upstream fixes that are currently being worked on and should hit soon.

"Nested" dependencies were updated by removing and re-adding the async@^2.0 entry of the lockfile, since our caret version, when refreshed, would bump up to a secure version of async (2.6.4). Also, electron-builder and app-builder-lib were removed and then re-added from the package.json file, which refreshed some other respective dependencies that rely on async, but also bumped up the version for quite a few other files. The version bump to async has been highlighted by a comment so it is easier to find among the changes in this PR.

Motivation

Keeping dependencies up-to-date.

Context

This fixes all but one of the dependencies we have on async. However, that remaining dependency (we use app-builder-lib, which uses ejs, which uses jake, which uses a vulnerable version of async) has two upstream fixes that are currently getting attention. Secure versions of async are specifically 2.6.4, and then 3.2.3 and above. Jake currently relies on [email protected]. However, there is a recent commit in jake's repo which updates to use [email protected], as well as a pending commit in ejs to remove its dependency on jake, period. Once either of those changes are included in a new release, we will only be dependent upon secure versions of async. This "wait for them to fix it" approach was chosen since the fixes are being actively addressed, and likely by the time we did work to create fixes ourselves, those fixes would be released already.

Pull request checklist

  • [n/a] Addresses an existing issue: #0000
  • Ran yarn fastpass
  • [n/a] Added/updated relevant unit test(s) (and ran yarn test)
  • [n/a] Verified code coverage for the changes made. Check coverage report at: <rootDir>/test-results/unit/coverage
  • PR title AND final merge commit title both start with a semantic tag (fix:, chore:, feat(feature-name):, refactor:). See CONTRIBUTING.md.
  • [n/a] (UI changes only) Added screenshots/GIFs to description above
  • [n/a] (UI changes only) Verified usability with NVDA/JAWS

@jlperkins jlperkins requested a review from a team as a code owner April 18, 2022 22:39
version "2.6.3"
resolved "https://registry.yarnpkg.com/async/-/async-2.6.3.tgz#d72625e2344a3656e3a3ad4fa749fa83299d82ff"
integrity sha512-zflvls11DCy+dQWzTW2dzuilv8Z5X/pjfmZOWba6TNIVDm+2UDaJmXSOXlasHKfNBs8oo3M0aT50fDEWfKZjXg==
version "2.6.4"
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the change in question; version 2.6.4 is not vulnerable.

@jlperkins jlperkins merged commit 9ed2347 into microsoft:main Apr 19, 2022
@jlperkins jlperkins deleted the dependabot-alerts branch April 19, 2022 18:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants