Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade 'yargs' version ('y18n' security issue) #8781

Open
DoroNahari opened this issue Nov 25, 2020 · 2 comments
Open

Upgrade 'yargs' version ('y18n' security issue) #8781

DoroNahari opened this issue Nov 25, 2020 · 2 comments
Labels
dependencies pull requests that update a dependency file security issues related to security

Comments

@DoroNahari
Copy link
Contributor

DoroNahari commented Nov 25, 2020
edited
Loading

Bug Description:

y18n had a security issue that fixed in version 5.0.5.
Currently theia is using yargs 11.1.0 which is using y18n < 5.0.5.
yargs upgraded to the 5.0.5 y18n version in version 16.1.1.

can we try upgrade to yargs 16.1.1 ?

Additional Information

yargs/yargs#1790
yargs/yargs@ae001f3

  • Theia Version: 1.7.0
@vince-fugnitto vince-fugnitto added dependencies pull requests that update a dependency file security issues related to security labels Nov 25, 2020
@vince-fugnitto
Copy link
Member

@DoroNahari sounds good to me :) do you mind preparing a pull-request that updates the dependency, and it’s typings (including updating the source code if necessary)? During the review I’ll determine if the update in version still satisfies our license compatibility.

@paul-marechal
Copy link
Member

paul-marechal commented Nov 26, 2020
edited
Loading 

yarn why v1.22.4
[1/4] Why do we have the module "y18n"...?
[2/4] Initialising dependency graph...
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "y18n@4.0.0"
info Has been hoisted to "y18n"
info Reasons this module exists
   - "workspace-aggregator-a22e6fbd-0783-4caa-bffc-7d98b30d9096" depends on it
   - Hoisted from "_project_#yargs#y18n"
   - Hoisted from "_project_#@theia#application-manager#copy-webpack-plugin#cacache#y18n"
   - Hoisted from "_project_#@theia#application-manager#@theia#compression-webpack-plugin#cacache#y18n"
   - Hoisted from "_project_#@theia#cli#mocha#yargs#y18n"
   - Hoisted from "_project_#@theia#application-manager#electron-rebuild#yargs#y18n"
   - Hoisted from "_project_#@theia#application-manager#webpack#terser-webpack-plugin#cacache#y18n"
   - Hoisted from "_project_#@theia#cli#mocha#yargs-unparser#yargs#y18n"
=> Found "lerna#y18n@3.2.1"
info Reasons this module exists
   - "_project_#lerna#yargs" depends on it
   - Hoisted from "_project_#lerna#yargs#y18n"
=> Found "webpack-cli#y18n@3.2.1"
info Reasons this module exists
   - "_project_#@theia#application-manager#webpack-cli#yargs" depends on it
   - Hoisted from "_project_#@theia#application-manager#webpack-cli#yargs#y18n"

The y18n vulnerability is listed as affecting 5.0.0 to 5.0.4 but as you can see we don't target any of that. Although I wouldn't be against using a newer version of yargs, feel free to do it while opening CQs if/as required.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
dependencies pull requests that update a dependency file security issues related to security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@paul-marechal @DoroNahari @vince-fugnitto