-
Notifications
You must be signed in to change notification settings - Fork 143
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bump glob to 10.3.10 (latest). #822
Conversation
@pnappa Thanks for the PR! One issue (failing the build) is that it looks like glob comes with its own types now, so I definitely want to get this fixed, but want to think a little more on the exact strategy. |
The dependency glob was pinned to version 7.1.6, which depended on a package called inflight. inflight is unmainted, and currently has a memory leak vulnerability, classified high severity. New major releases of glob do not rely on this vulnerable dependency.
840802f
to
305c2eb
Compare
Oops! Silly mistake - amended the commit to remove the types package. Yeah, the decision of whether a major version is required for semver is somewhat philosophical. I would say yeah, you'd need to bump major because you've specified node version 8 support in the I ran:
And with this patch:
I didn't even know about the engines field in Re: supporting older node.js versions: I don't think it's necessary to take on additional effort to support very old node versions, even for backporting security patches. There are probably quite a few flaws in the node.js engine itself that are not fixed for unsupported versions: https://nodejs.org/en/blog/vulnerability only mentions that it fixes the versions with security support (see here https://endoflife.date/nodejs). So, updating the engine requirement to be in-line with needs, in addition to bumping the major version & deploying a patch would be productive. That's my opinion at least - short of forking glob to remove unsupported engine features to keep engine requirement at the same level - it's probably the best path of action. |
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #822 +/- ##
=======================================
Coverage 88.70% 88.70%
=======================================
Files 56 56
Lines 6082 6082
Branches 1446 1446
=======================================
Hits 5395 5395
Misses 421 421
Partials 266 266 ☔ View full report in Codecov by Sentry. |
Benchmark resultsBefore this PR: 573.8 thousand lines per second Measured change: 1.57% slower (2.04% slower to 2.03% faster) |
Thanks for updating to remove the types package, and thanks again for the PR! I thought a bit more about the release strategy, and my plan is to release this as a semver-minor release (3.35.0) rather than semver-major, and I'll include a release note explaining caveats and workarounds. It's an awkward choice to make, but I'm weighing the disruption of dropping old node versions with the disruption of a security fix that's only available as semver-major. Recommendation for projects on Node.js versions before 14.7:
To explain the release rationale a bit more, the three options I considered were:
I looked into the details and did some testing to understand the impact more specifically. Some notes and observations:
Weighing the options, I think the impact of the breaking change would be very small, and would be outweighed by the impact of the Sucrase 3.x line having an open vulnerability, and the impact of all libraries needing to explicitly upgrade. Some related thoughts on my longer-term thinking for the project:
|
Excellent, thank you for the detailed report and feedback. |
This helps confirm that the code change from #822 is safe, which it seems to be. Previously, this code path was untested, but now that there are CLI integration tests, it's not so bad to write a new one for this case.
This helps confirm that the code change from #822 is safe, which it seems to be. Previously, this code path was untested, but now that there are CLI integration tests, it's not so bad to write a new one for this case.
Thanks again! Just released as v3.35.0. |
The dependency glob was pinned to version 7.1.6, which depended on a package called inflight. inflight is unmaintained, and currently has a memory leak vulnerability, classified high severity.
New major releases of glob do not rely on this vulnerable dependency.