Update file-type to 18.2.0#8304
Merged
Merged
Conversation
This comment was marked as resolved.
This comment was marked as resolved.
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎ 1 Ignored Deployment
|
|
This pull request is automatically built and testable in CodeSandbox. To see build info of the built libraries, click here or the icon next to each commit SHA. Latest deployment of this branch, based on commit 1ed726d:
|
borisno2
approved these changes
Feb 14, 2023
dcousens
force-pushed
the
image-type-upgrade
branch
from
111df5a to
ebbaa75
Compare
dcousens
changed the title
file-type directly)
dcousens
changed the title
file-type directly)file-type to 18.2.0
dcousens
force-pushed
the
image-type-upgrade
branch
from
3d065cf to
4be5b2d
Compare
This reverts commit ebbaa75.
borisno2
force-pushed
the
image-type-upgrade
branch
from
4be5b2d to
f8339ad
Compare
borisno2
force-pushed
the
image-type-upgrade
branch
from
c60d7c3 to
1ed726d
Compare
dcousens
commented
Feb 27, 2023
| "noUnusedLocals": true, | ||
| "types": ["@types/jest"], | ||
| "typeRoots": [], | ||
| "skipLibCheck": false, |
Member
Author
There was a problem hiding this comment.
Unfortunate, but hopefully only temporary
Merged
Closed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request mitigates CVE-2022-36313 by upgrading and using
file-typedirectly.The
image-typepackage wrapsfile-typeand then limits the returned result to a subset of filename extensions.In our usage, we then limited the return of
image-typeto a smaller subset of filename extensions.Knowing this, we have omitted the
image-typepackage and usedfile-typedirectly.Unfortunately we don't have static ESM imports at this time, as a result we are kind of hacking around this for now.
Rather than not mitigate the security vulnerability, I have opted for this as a temporary solution to move forward.
The tests require
NODE_OPTIONS=--experimental-vm-modules, but on GitHub CI,jestis failing with a segmentation fault for that configuration. To pass CI, this pull request disables the test for now, so we can move forward with resolving the security vulnerability. You can run the tests locally usingNODE_OPTIONS=--experimental-vm-moduleswith success.