Skip to content

refactor: replace urllib #305

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
erha19 merged 1 commit into from
Jan 17, 2022
Merged

refactor: replace urllib #305

erha19 merged 1 commit into from
Jan 17, 2022

Conversation

@yantze
Copy link
Member

@yantze yantze commented Jan 10, 2022
edited
Loading

Types

  • 🪚 Refactors

Background or solution

处理插件市场高危漏洞

  1. 重构使用 node-fetch 获取插件信息。urllib 低版本高危漏洞,新版本不兼容 webpack 所以只能替换了
  2. 重构 cleanup 使用异步方法。

close #317

Changelog

  • replace urllib

@CLAassistant
Copy link

CLAassistant commented Jan 10, 2022
edited
Loading

CLA assistant check
All committers have signed the CLA.

@yantze
Copy link
Member Author

yantze commented Jan 10, 2022

cleanUp 会在有些情况抛出异常,导致插件不能正常安装成功,同步的方法会直接中断安装进程。

@codecov-commenter
Copy link

codecov-commenter commented Jan 10, 2022

Codecov Report

Merging #305 (b283eb4) into main (6146569) will increase coverage by 0.00%.
The diff coverage is 0.00%.

Impacted file tree graph

@@           Coverage Diff           @@
##             main     #305   +/-   ##
=======================================
  Coverage   59.33%   59.33%           
=======================================
  Files        1182     1182           
  Lines       72666    72665    -1     
  Branches    15056    15056           
=======================================
  Hits        43116    43116           
+ Misses      26929    26928    -1     
  Partials     2621     2621
Impacted Files Coverage Δ
...xtension-manager/src/node/vsx-extension.service.ts 0.00% <0.00%> (ø)

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 6146569...b283eb4. Read the comment docs.

@hacke2
Copy link
Member

hacke2 commented Jan 10, 2022

具体是什么高危漏洞?我理解 urllib 现在还是维护的

@yantze
Copy link
Member Author

yantze commented Jan 10, 2022

具体是什么高危漏洞?我理解 urllib 现在还是维护的

之前讨论过的,urllib 最新版本用了 pac-resolver,处理一个高危漏洞,但这个包会导致 webpack 打包异常
image

@yantze
Copy link
Member Author

yantze commented Jan 10, 2022

具体是什么高危漏洞?我理解 urllib 现在还是维护的

看看这个漏洞信息 https://github.com/opensumi/ide-electron/security/dependabot

@hacke2
Copy link
Member

hacke2 commented Jan 10, 2022

image

和 urllib 有啥关系?

@yantze
Copy link
Member Author

yantze commented Jan 10, 2022
edited
Loading

  • 「使用 proxy-agent 的 4.x 版本有那个远程执行的漏洞」
  • 「urllib->proxy-agent->pac-proxy-agent->pac-resolver->degenerator,degenerator 这个包升级后使用了 vm2 来执行一些可能不受信任的代码,vm 的动态执行的逻辑,没法被 webpack 打包吧」

@yantze
Copy link
Member Author

yantze commented Jan 10, 2022

  • 「使用 proxy-agent 的 4.x 版本有那个远程执行的漏洞」
  • 「urllib->proxy-agent->pac-proxy-agent->pac-resolver->degenerator,degenerator 这个包升级后使用了 vm2 来执行一些可能不受信任的代码,vm 的动态执行的逻辑,没法被 webpack 打包吧」

@hacke2

@hacke2
Copy link
Member

hacke2 commented Jan 10, 2022

我怎么感觉给 urllib 提 PR 更合适。。

@yantze
Copy link
Member Author

yantze commented Jan 10, 2022

我怎么感觉给 urllib 提 PR 更合适。。

他们就是那样设计的,除非要改他们的 agent 架构,这种基础包修改对他们来说影响太大了

erha19
erha19 approved these changes Jan 12, 2022
View reviewed changes
Copy link
Member

@erha19 erha19 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@erha19
Copy link
Member

erha19 commented Jan 13, 2022

@yantze 冲突了,处理一下

@yantze yantze force-pushed the refactor/replace-urllib branch 3 times, most recently from dee6cb2 to 73711f8 Compare January 13, 2022 06:54
@yantze yantze force-pushed the refactor/replace-urllib branch from 73711f8 to 5d03809 Compare January 13, 2022 09:35
@erha19 erha19 merged commit f3d9032 into main Jan 17, 2022
@erha19 erha19 deleted the refactor/replace-urllib branch January 17, 2022 07:48
This was referenced Jan 19, 2022
Closed
Closed
Closed
Closed
yantze added a commit to opensumi/ide-electron that referenced this pull request Feb 11, 2022
@yantze
chore: remove urllib
63acd9d 
more: opensumi/core#305
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@erha19 erha19 erha19 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[BUG] 使用现存的 node-fetch 替代 urllib

6 participants

@yantze @CLAassistant @codecov-commenter @hacke2 @erha19