Update ramda to 0.29 #654
Update ramda to 0.29 #654
Conversation
| @@ -10,7 +10,7 @@ jobs: | |||
| node-version: 10 | |||
| - uses: actions/setup-python@v2 | |||
| with: | |||
| python-version: 3.6 | |||
| python-version: 3.8 | |||
There was a problem hiding this comment.
3.6 is no longer available on GitHub actions. 3.8 isn't the latest either but there are breaking changes in 3.9 which would mean we have to uptake other changes that I wanted to do right now to the way we build docs, Sphinx versions and the related toolchain.
| needs: [test] | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: coverallsapp/github-action@master |
There was a problem hiding this comment.
The GitHub org policies do not let us use external actions outside our space. Dropping coveralls reports (nice to have, and not fundamental).
| @@ -104,7 +104,7 @@ const deduplicateUnsupportedAnnotations = R.curry((namespace, parseResult) => { | |||
| }, | |||
| R.T); | |||
|
|
|||
| const result = new namespace.elements.ParseResult(R.filter(filterWarnings, parseResult)); | |||
| const result = R.filter(filterWarnings, parseResult); | |||
There was a problem hiding this comment.
As fantasy land filter would result in the same type, we no longer need to wrap it back into a parse result.
| @@ -72,7 +72,8 @@ function parseOauthFlowsObject(context, object) { | |||
| authScheme.push(new namespace.elements.Member('grantType', grantTypes[member.key.toValue()])); | |||
| authScheme.push(member.value.getMember('scopes')); | |||
|
|
|||
| R.filter(R.is(namespace.elements.Transition), member.value).forEach((item) => { | |||
| const isTransitionElement = R.is(namespace.elements.Transition); | |||
| member.value.filter(isTransitionElement).forEach((item) => { | |||
There was a problem hiding this comment.
This one was a little tricky to grapple with. member.value here is an ObjectElement. An object element is a series of key/value pairs called members.
ObjectElement's forEach has the signature of (value, key, item). Thus when filter returns an ObjectElement, the behaviour changed. I have switched to member.value.filter which is equivalent to the prior behaviour as it would call forEach on ArraySlice which iterates over each member element and doesn't have the forEach semantics of an object.
kylef
added
openapi3
security
What:
Details
In ramda 0.28 a breaking change to to the
R.filterandR.rejectfunctions had been introduced, in the pastfilterwould callfilteron the underlying object, whereas now it will run fantasy landfilter(as of ramda/ramda#3002).What's fantasy land and why does this matter?
Fantasy land is somewhat a specification (or set of laws) that a set of values should behave as, for example it states that
filtershould return the same type as the object that it was called upon. I.e, if you callfilteron aParseResult, it must returnParseResult.The why it matters part, is that minim's "Array" and "ParseResult" structures implement both
filterand fantasy land compatible filter. It does so, with a difference in behaviour refractproject/minim@6274d46.filterreturns an ArraySlice, whereas the fantasy land filter must return the same type.What's the difference?
elementsproperty.content.Why:
Older versions of ramda are flagged as insecure.
Criticality:
Medium - Due to security nature.
Blast radius:
Medium - The OpenAPI 3 parser is not type safe, although it has fairly good test coverage. Ramda a fundamental dependency, and changes to its behaviour can have widespread impact. Although I am fairly confident there are no widespread bugs introduced given the test coverage is very high (wrote most of the parser test-first/TDD).
Expected outcome:
The version of ramda used is no longer flagged as insecure.
Potential impact and visibility:
No expected impact.
Test results:
The openapi3-parser has fairly wide test coverage that gives me enough confidence this change works as expected, at-least within the context of this project. Consumers of the library will need to uptake any ramda behaviour changes also.