audit(critical): [email protected] in package resolutions #6853

brody4hire · 2019-11-06T16:02:47Z

resolves critical yarn audit issue due to: https://www.npmjs.com/advisories/755

without causing any regressions (failures) in the existing test suite

I hope this update can be part of the release 1.19 checklist (#6469).

I’ve added tests to confirm my change works.
(If changing the API or CLI) I’ve documented the changes I’ve made (in the docs/ directory)
(If the change is user-facing) I’ve added my changes to the CHANGELOG.unreleased.md file following the template.
I’ve read the contributing guidelines.

✨Try the playground for this PR✨

and update yarn.lock resolves critical `yarn audit` issue due to: https://www.npmjs.com/advisories/755 fixed formatting of `resolutions` package field using the following command: node ./bin/prettier.js --write package.json

fisker · 2019-11-06T18:06:20Z

bad idea , npm don't support this, i use this just for testing

brody4hire · 2019-11-06T18:22:13Z

npm don't support this

but whatever version of handlebars is installed by Yarn would be bundled when the dist is build

I tried building the dist, there seem to be no dependencies in the generated dist/package.json.

So I think this would be for the benefit of most users, who install from npm, would not affect installation from GitHub.

Am I missing something here?

alexander-akait · 2019-11-06T18:23:44Z

Why not just update the lock file?

alexander-akait · 2019-11-06T18:25:58Z

package.json

  },
+  "resolutions": {
+    "handlebars": "4.4.5"
+  },


Using resolutions is always bad idea, it helps in applications to broken/vuln dependency releases, but not in libraries or tools

…dated

brody4hire · 2019-11-06T18:32:52Z

Why not just update the lock file?

Done. I just removed the resolutions field, evidently not needed now that yarn.lock is updated.

Is there anything else I can do to help get this into Release 1.19 (#6469)?

brody4hire · 2019-11-06T19:43:58Z

Thanks for the quick attention and merge!

After the fact, I really should have updated the title to reflect the end result, which is just an update to yarn.lock.

fisker · 2019-11-07T05:13:36Z

@brodybits @lydell

Please revert this, every time I run yarn command, yarn.lock changes.
I do this a lot, because I need switch from different branches.

lydell · 2019-11-07T06:50:29Z

@brodybits How did you update the lockfile?

@fisker You could use yarn --frozen-lockfile for now?

brody4hire · 2019-11-07T07:51:14Z

Just look through the commits in this PR. Yarn updates the dependencies in lock file if we add resolutions, which I think is good if we resolve audit issue. Removing resolutions did not cause Yarn to do anything else in this case. I can take a better look in the next few hours if you have any more questions. I really do not see what should be a problem here.

--

Sent from my mobile

brody4hire · 2019-11-07T07:57:06Z

Or maybe it would be less drastic to fix the lock file to use handlebars 4.1.2 rather than 4.4.5. This should still resolve the audit issue without affecting anything else. I would be happy take a look some to later today, if needed. -- Sent from my mobile

fisker · 2019-11-07T08:25:36Z

@brodybits @lydell no need revert, sending a PR fix it

brody4hire · 2019-11-07T08:37:06Z

6868, right? It looks ok to me. Unfortunately I really do not understand what problem it solves now and how it solves the problem. -- Sent from my mobile

fisker · 2019-11-07T08:56:07Z

#6867 I don't know either, I ran yarn and check it, it's still new version. so I send it

* 'master' of github.com:prettier/prettier: (43 commits) Update `postcss-less` to v2 (#6778) Show invalid config filename in error message (#6865) Change external links to https (#6874) Bump @babel/parser from 7.7.0 to 7.7.2 (#6862) Fix nullish coalescing parenthesis with mixed logical operators (#6863) Remove [email protected] requirement in yarn.lock (#6867) Update browerslist in yarn.lock (#6868) fix formatting of comments in flow enums (#6860) better formatting for AwaitExpression in CallExpression/MemberExpression (#6856) Bump @typescript-eslint/typescript-estree from 2.6.0 to 2.6.1 (#6805) test: issue #6283 (#6855) audit(critical): [email protected] in package resolutions (#6853) Flow enums (#6833) Add mongo as a VS Code supported language (#6848) Bump `eslint` from 6.5.1 to 6.6.0 (#6846) Upgrade flow-parser from 0.89 to 0.111 (#6830) Bump @babel/preset-react from 7.6.3 to 7.7.0 in /website (#6827) Bump typescript from 3.7.1-rc to 3.7.2 (#6832) Bump rollup from 1.26.0 to 1.26.3 (#6821) update Babel to 7.7.0 and enable error recovery (#6816) ...

commit b091fd3 Author: Simon Lydell <[email protected]> Date: Sat Nov 9 12:12:31 2019 +0100 Remove out-of-date comment commit 58c6b42 Author: Georgii Dolzhykov <[email protected]> Date: Sat Nov 9 12:47:54 2019 +0200 fix formatting of union type as arrow function return type (prettier#6896) commit 8c3efeb Author: Simon Lydell <[email protected]> Date: Sat Nov 9 01:44:53 2019 +0100 Try to fix some code blocks in 1.19.0 blog post commit 4eb3e26 Author: Simon Lydell <[email protected]> Date: Sat Nov 9 01:23:57 2019 +0100 Blog post, changelog and docs for 1.19 (prettier#6787) commit 98d27c7 Author: Simon Lydell <[email protected]> Date: Sat Nov 9 01:14:31 2019 +0100 Bump Prettier dependency to 1.19.0 commit e788e8d Author: Simon Lydell <[email protected]> Date: Sat Nov 9 01:09:19 2019 +0100 Release 1.19.0 commit 057e15d Author: Simon Lydell <[email protected]> Date: Sat Nov 9 01:00:06 2019 +0100 prettier 1.19.0-beta.1 commit 3fb111a Author: Georgii Dolzhykov <[email protected]> Date: Sat Nov 9 01:12:32 2019 +0200 deduplicate entries in yarn.lock - part 2 (prettier#6884) commit 10c5c37 Author: Georgii Dolzhykov <[email protected]> Date: Sat Nov 9 00:43:34 2019 +0200 deduplicate entries in yarn.lock (prettier#6882) * deduplicate entries in yarn.lock * revert changes for @babel/code-frame commit 361fd2d Author: Georgii Dolzhykov <[email protected]> Date: Sat Nov 9 00:06:54 2019 +0200 fix printing bigint literals parsed by Flow (prettier#6883) commit ea70396 Author: Georgii Dolzhykov <[email protected]> Date: Fri Nov 8 23:31:31 2019 +0200 Fix lost adjacent JSX when using Babel (prettier#6881) Bump @babel/parser to 7.7.3. Otherwise Prettier formats "<a/><b/>" to "<a/ >;". commit 7959b12 Author: Justin Ridgewell <[email protected]> Date: Fri Nov 8 15:25:38 2019 -0500 Don't require parens for same-operator logical expressions (prettier#6864) Multiple same-operator logical expressions do not require parentheses to disambiguate. commit 3618361 Author: fisker Cheung <[email protected]> Date: Sat Nov 9 02:38:55 2019 +0800 Update `codecov` to v3.6.1 (prettier#6876) commit e1d30d6 Author: fisker Cheung <[email protected]> Date: Sat Nov 9 02:37:56 2019 +0800 Update `@babel/core` to v7.7.2 (prettier#6877) commit d865eb5 Author: fisker Cheung <[email protected]> Date: Sat Nov 9 02:37:41 2019 +0800 Update `flow-parser` to v0.111.3 (prettier#6878) commit ec65947 Author: fisker Cheung <[email protected]> Date: Sat Nov 9 02:36:27 2019 +0800 Update `@rollup/plugin-replace` to v2.2.1 (prettier#6879) commit 460ea2f Author: fisker Cheung <[email protected]> Date: Sat Nov 9 02:33:59 2019 +0800 Format `style[lang="css"]` (prettier#6875) commit 597dae8 Author: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Fri Nov 8 17:44:23 2019 +0100 Bump @babel/preset-env from 7.6.3 to 7.7.1 in /website (prettier#6826) Bumps [@babel/preset-env](https://github.com/babel/babel) from 7.6.3 to 7.7.1. - [Release notes](https://github.com/babel/babel/releases) - [Changelog](https://github.com/babel/babel/blob/master/CHANGELOG.md) - [Commits](babel/babel@v7.6.3...v7.7.1) Signed-off-by: dependabot-preview[bot] <[email protected]> Co-authored-by: null <27856297+dependabot-preview[bot]@users.noreply.github.com> commit d05be09 Author: fisker Cheung <[email protected]> Date: Sat Nov 9 00:33:28 2019 +0800 Fix unpkg links in docs (prettier#6872) commit 85912a7 Author: fisker Cheung <[email protected]> Date: Fri Nov 8 23:34:14 2019 +0800 Update `postcss-less` to v2 (prettier#6778) * Update `postcss-less` to v2 * fix less `custom-selectors` * fix less `custom-selectors` 2 * fix custom-selector `:` position * remove less hack * fix custom selector * cleanup * add changlog * add link * restore changlog * restore snap * restore snap * update postcss-custom-selectors detect * remove startsWith * trigger build * update `custom-selector` * add test and changelog * style * md * issue-4090-test * docs * Update CHANGELOG.unreleased.md Co-Authored-By: Georgii Dolzhykov <[email protected]> * fix pr issue * fix * fix merge issue * insert new line * snap update * only support custom-selector in css * scss already parse it as custom-selector * remove `custom-selector` test in scss * link commit 91c5235 Author: fisker Cheung <[email protected]> Date: Fri Nov 8 20:51:51 2019 +0800 Show invalid config filename in error message (prettier#6865) commit 304acbe Author: fisker Cheung <[email protected]> Date: Fri Nov 8 19:49:32 2019 +0800 Change external links to https (prettier#6874) commit b06b42d Author: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Fri Nov 8 14:18:59 2019 +0300 Bump @babel/parser from 7.7.0 to 7.7.2 (prettier#6862) Bumps [@babel/parser](https://github.com/babel/babel) from 7.7.0 to 7.7.2. - [Release notes](https://github.com/babel/babel/releases) - [Changelog](https://github.com/babel/babel/blob/master/CHANGELOG.md) - [Commits](babel/babel@v7.7.0...v7.7.2) Signed-off-by: dependabot-preview[bot] <[email protected]> commit 8188876 Author: Justin Ridgewell <[email protected]> Date: Thu Nov 7 13:56:44 2019 -0500 Fix nullish coalescing parenthesis with mixed logical operators (prettier#6863) * Fix nullish coalescing with mixed logical operators parenthesis Mixing nullish coalescing (`??`) with the other logical operators (`&&` and `||`) requires parenthesis to disambiguate the inteded short circuiting. Without it, it's a `SyntaxError`. Earlier drafts of the spec allowed mixing, but it was disallowed when we reached Stage 3. See https://v8.dev/features/nullish-coalescing#mixing-and-matching-operators * Update changelog * Fixes and cleanup * Update changelog commit d4a7a47 Author: fisker Cheung <[email protected]> Date: Thu Nov 7 18:33:24 2019 +0800 Remove [email protected] requirement in yarn.lock (prettier#6867) commit 5caa608 Author: fisker Cheung <[email protected]> Date: Thu Nov 7 18:04:32 2019 +0800 Update browerslist in yarn.lock (prettier#6868) commit b9ab7e2 Author: Georgii Dolzhykov <[email protected]> Date: Thu Nov 7 12:02:41 2019 +0200 fix formatting of comments in flow enums (prettier#6860) commit 54cbdb8 Author: Georgii Dolzhykov <[email protected]> Date: Wed Nov 6 21:53:16 2019 +0200 better formatting for AwaitExpression in CallExpression/MemberExpression (prettier#6856) * better formatting for AwaitExpression nested in CallExpression or MemberExpression * update changelog commit 5458fb5 Author: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Wed Nov 6 20:45:09 2019 +0100 Bump @typescript-eslint/typescript-estree from 2.6.0 to 2.6.1 (prettier#6805) * Bump @typescript-eslint/typescript-estree from 2.6.0 to 2.6.1 Bumps [@typescript-eslint/typescript-estree](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-estree) from 2.6.0 to 2.6.1. - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/master/packages/typescript-estree/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v2.6.1/packages/typescript-estree) Signed-off-by: dependabot-preview[bot] <[email protected]> * add shim for path.extname commit 5992654 Author: Evilebot Tnawi <[email protected]> Date: Wed Nov 6 22:43:21 2019 +0300 test: issue prettier#6283 (prettier#6855) commit 4ed377a Author: Chris Brody <[email protected]> Date: Wed Nov 6 14:38:38 2019 -0500 audit(critical): [email protected] in package resolutions (prettier#6853) * audit(critical): [email protected] in package resolutions and update yarn.lock resolves critical `yarn audit` issue due to: https://www.npmjs.com/advisories/755 fixed formatting of `resolutions` package field using the following command: node ./bin/prettier.js --write package.json * and remove resolutions, not needed now that the lock file has been updated commit b23c6a2 Author: George Zahariev <[email protected]> Date: Wed Nov 6 11:36:16 2019 -0800 Flow enums (prettier#6833) commit 16f2c97 Author: Aymeric Bouzy <[email protected]> Date: Wed Nov 6 15:57:49 2019 +0100 Add mongo as a VS Code supported language (prettier#6848) * Add mongo as a VS Code supported language * updated Changelog * fix spellcheck error * fix tests commit 4d9acf8 Author: fisker Cheung <[email protected]> Date: Wed Nov 6 18:29:02 2019 +0800 Bump `eslint` from 6.5.1 to 6.6.0 (prettier#6846) commit e48a9df Author: George Zahariev <[email protected]> Date: Tue Nov 5 22:50:32 2019 -0800 Upgrade flow-parser from 0.89 to 0.111 (prettier#6830) commit 2b22c7a Author: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Wed Nov 6 07:46:14 2019 +0100 Bump @babel/preset-react from 7.6.3 to 7.7.0 in /website (prettier#6827) Bumps [@babel/preset-react](https://github.com/babel/babel) from 7.6.3 to 7.7.0. - [Release notes](https://github.com/babel/babel/releases) - [Changelog](https://github.com/babel/babel/blob/master/CHANGELOG.md) - [Commits](babel/babel@v7.6.3...v7.7.0) Signed-off-by: dependabot-preview[bot] <[email protected]> Co-authored-by: null <27856297+dependabot-preview[bot]@users.noreply.github.com> commit d3fbdd9 Author: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Wed Nov 6 07:40:45 2019 +0100 Bump typescript from 3.7.1-rc to 3.7.2 (prettier#6832) Bumps [typescript](https://github.com/Microsoft/TypeScript) from 3.7.1-rc to 3.7.2. - [Release notes](https://github.com/Microsoft/TypeScript/releases) - [Commits](https://github.com/Microsoft/TypeScript/commits) Signed-off-by: dependabot-preview[bot] <[email protected]> Co-authored-by: null <27856297+dependabot-preview[bot]@users.noreply.github.com> commit c26f087 Author: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue Nov 5 23:45:28 2019 +0200 Bump rollup from 1.26.0 to 1.26.3 (prettier#6821) Bumps [rollup](https://github.com/rollup/rollup) from 1.26.0 to 1.26.3. - [Release notes](https://github.com/rollup/rollup/releases) - [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md) - [Commits](rollup/rollup@v1.26.0...v1.26.3) Signed-off-by: dependabot-preview[bot] <[email protected]> commit 1df4c17 Author: Georgii Dolzhykov <[email protected]> Date: Tue Nov 5 21:08:41 2019 +0200 update Babel to 7.7.0 and enable error recovery (prettier#6816) commit 9d2f5e0 Author: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Tue Nov 5 19:08:14 2019 +0100 Bump terser-webpack-plugin from 2.1.3 to 2.2.1 (prettier#6819) Bumps [terser-webpack-plugin](https://github.com/webpack-contrib/terser-webpack-plugin) from 2.1.3 to 2.2.1. - [Release notes](https://github.com/webpack-contrib/terser-webpack-plugin/releases) - [Changelog](https://github.com/webpack-contrib/terser-webpack-plugin/blob/master/CHANGELOG.md) - [Commits](webpack/terser-webpack-plugin@v2.1.3...v2.2.1) Signed-off-by: dependabot-preview[bot] <[email protected]> Co-authored-by: null <27856297+dependabot-preview[bot]@users.noreply.github.com>

brody4hire mentioned this pull request Nov 6, 2019

Release 1.19 checklist #6469

Closed

12 tasks

alexander-akait reviewed Nov 6, 2019

View reviewed changes

and remove resolutions, not needed now that the lock file has been up…

54d7ac5

…dated

lydell merged commit 4ed377a into prettier:master Nov 6, 2019

brody4hire deleted the handlebars-update-in-package-resolutions branch November 6, 2019 19:41

fisker mentioned this pull request Nov 7, 2019

Remove extra requirement in yarn.lock #6867

Merged

4 tasks

fisker mentioned this pull request Jan 15, 2020

Check file changes on CI #7342

Merged

4 tasks

lock bot added the locked-due-to-inactivity Please open a new issue and fill out the template instead of commenting. label Feb 5, 2020

lock bot locked as resolved and limited conversation to collaborators Feb 5, 2020

Uh oh!

audit(critical): [email protected] in package resolutions #6853

audit(critical): [email protected] in package resolutions #6853

Uh oh!

Conversation

brody4hire commented Nov 6, 2019

Uh oh!

fisker commented Nov 6, 2019

Uh oh!

brody4hire commented Nov 6, 2019

Uh oh!

alexander-akait commented Nov 6, 2019

Uh oh!

alexander-akait Nov 6, 2019

Choose a reason for hiding this comment

Uh oh!

brody4hire commented Nov 6, 2019

Uh oh!

brody4hire commented Nov 6, 2019

Uh oh!

fisker commented Nov 7, 2019 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

lydell commented Nov 7, 2019

Uh oh!

brody4hire commented Nov 7, 2019 via email

Uh oh!

brody4hire commented Nov 7, 2019 via email

Uh oh!

fisker commented Nov 7, 2019

Uh oh!

brody4hire commented Nov 7, 2019 via email

Uh oh!

fisker commented Nov 7, 2019 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

fisker commented Nov 7, 2019 •

edited

Loading

fisker commented Nov 7, 2019 •

edited

Loading