You are viewing a plain text version of this content. The canonical link for it is here.

Posted to reviews@spark.apache.org by GitBox <gi...@apache.org> on 2022/02/23 10:47:26 UTC

[GitHub] [spark] bjornjorgensen opened a new pull request #35628: [SPARK-38303] Upgrade 'ansi-regex' from 5.0.0 to 5.0.1 in /dev

bjornjorgensen opened a new pull request #35628:
URL: https://github.com/apache/spark/pull/35628


   ### What changes were proposed in this pull request?
   Upgrade ansi-regex from 5.0.0 to 5.0.1 in /dev
   
   ### Why are the changes needed?
   [CVE-2021-3807](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3807)
   
   [releases notes at github](https://github.com/chalk/ansi-regex/releases)
   
   By upgrading ansi-regex from 5.0.0 to 5.0.1 we will resolve this issue.
   
   ### Does this PR introduce _any_ user-facing change?
   Some users use remote security scanners and this is one of the issues that comes up. How this can do some damage with spark is highly uncertain. but let's remove the uncertainty that any user may have.
   
   
   ### How was this patch tested?
   All test must pass.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] sarutak commented on pull request #35628: [SPARK-38303][BUILD] Upgrade `ansi-regex` from 5.0.0 to 5.0.1 in /dev

Posted by GitBox <gi...@apache.org>.

sarutak commented on pull request #35628:
URL: https://github.com/apache/spark/pull/35628#issuecomment-1049785764


   @bjornjorgensen 
   > @sarutak I first to revers this PR and then I get a lot of errors [SO](https://stackoverflow.com/questions/62653114/how-can-i-deal-with-this-git-warning-pulling-without-specifying-how-to-reconci)
   
   It's not error but WARN and it will be suppressed after `package-lock.json` is updated.
   Please update `package.json` and just run `npm`.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] sarutak commented on pull request #35628: [SPARK-38303][BUILD] Upgrade `ansi-regex` from 5.0.0 to 5.0.1 in /dev

Posted by GitBox <gi...@apache.org>.

sarutak commented on pull request #35628:
URL: https://github.com/apache/spark/pull/35628#issuecomment-1049008885


   @bjornjorgensen Can you retry with the latest LTS release of `npm` ?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] bjornjorgensen commented on pull request #35628: [SPARK-38303][BUILD] Upgrade `ansi-regex` from 5.0.0 to 5.0.1 in /dev

Posted by GitBox <gi...@apache.org>.

bjornjorgensen commented on pull request #35628:
URL: https://github.com/apache/spark/pull/35628#issuecomment-1048974164


   @sarutak I first to revers this PR and then I get a lot of errors [SO](https://stackoverflow.com/questions/62653114/how-can-i-deal-with-this-git-warning-pulling-without-specifying-how-to-reconci)
   
   And then I did 
   `npm install
   npm WARN old lockfile 
   npm WARN old lockfile The package-lock.json file was created with an old version of npm,
   npm WARN old lockfile so supplemental metadata must be fetched from the registry.
   npm WARN old lockfile 
   npm WARN old lockfile This is a one-time fix-up, please be patient...
   npm WARN old lockfile 
   
   added 118 packages, and audited 119 packages in 16s
   
   15 packages are looking for funding
     run `npm fund` for details
   
   1 moderate severity vulnerability
   
   To address all issues, run:
     npm audit fix
   
   Run `npm audit` for details.
   [bjorn@bjorn-aspirea51751g dev]$ npm audit fix
   
   changed 1 package, and audited 119 packages in 943ms
   
   15 packages are looking for funding
     run `npm fund` for details
   
   found 0 vulnerabilities`
   
   But now the `package-lock.json` file is 2245 lines long!
   
     
   Will you @sarutak take over? I can close this PR after you have copy the text. 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] sarutak commented on pull request #35628: [SPARK-38303][BUILD] Upgrade `ansi-regex` from 5.0.0 to 5.0.1 in /dev

Posted by GitBox <gi...@apache.org>.

sarutak commented on pull request #35628:
URL: https://github.com/apache/spark/pull/35628#issuecomment-1049892646


   @bjornjorgensen Oh, please run `npm install` to update `package-lock.json` after you modified `package.json`, then push the change.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] sarutak edited a comment on pull request #35628: [SPARK-38303][BUILD] Upgrade `ansi-regex` from 5.0.0 to 5.0.1 in /dev

Posted by GitBox <gi...@apache.org>.

sarutak edited a comment on pull request #35628:
URL: https://github.com/apache/spark/pull/35628#issuecomment-1049892646


   @bjornjorgensen Oh, please run `npm install` in `dev` to update `package-lock.json` after you modified `package.json`, then push the change.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] sarutak closed pull request #35628: [SPARK-38303][BUILD] Upgrade `ansi-regex` from 5.0.0 to 5.0.1 in /dev

Posted by GitBox <gi...@apache.org>.

sarutak closed pull request #35628:
URL: https://github.com/apache/spark/pull/35628


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] bjornjorgensen edited a comment on pull request #35628: [SPARK-38303][BUILD] Upgrade `ansi-regex` from 5.0.0 to 5.0.1 in /dev

Posted by GitBox <gi...@apache.org>.

bjornjorgensen edited a comment on pull request #35628:
URL: https://github.com/apache/spark/pull/35628#issuecomment-1049921212


   @sarutak I now have 
   
   `{
     "devDependencies": {
       "eslint": "^7.25.0",
       "ansi-regex": "^5.0.1"
     }
   }`
   
   in `package.json` and when I run  `npm install`
   npm WARN old lockfile
   npm WARN old lockfile The package-lock.json file was created with an old version of npm,
   npm WARN old lockfile so supplemental metadata must be fetched from the registry.
   npm WARN old lockfile 
   npm WARN old lockfile This is a one-time fix-up, please be patient...
   npm WARN old lockfile 
   
   added 118 packages, and audited 119 packages in 3s
   
   15 packages are looking for funding
     run `npm fund` for details
   
   found 0 vulnerabilities
   
   I'm using npm@8.3.1
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] srowen commented on pull request #35628: [SPARK-38303][BUILD] Upgrade `ansi-regex` from 5.0.0 to 5.0.1 in /dev

Posted by GitBox <gi...@apache.org>.

srowen commented on pull request #35628:
URL: https://github.com/apache/spark/pull/35628#issuecomment-1048854776


   Seems reasonable though I confess I don't know what this file is.
   @sarutak can you weigh in?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] sarutak commented on pull request #35628: [SPARK-38303][BUILD] Upgrade `ansi-regex` from 5.0.0 to 5.0.1 in /dev

Posted by GitBox <gi...@apache.org>.

sarutak commented on pull request #35628:
URL: https://github.com/apache/spark/pull/35628#issuecomment-1049953966


   @bjornjorgensen Please see [this comment](https://github.com/apache/spark/pull/35628#issuecomment-1049785764).


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] sarutak commented on pull request #35628: [SPARK-38303][BUILD] Upgrade `ansi-regex` from 5.0.0 to 5.0.1 in /dev

Posted by GitBox <gi...@apache.org>.

sarutak commented on pull request #35628:
URL: https://github.com/apache/spark/pull/35628#issuecomment-1048908863


   @bjornjorgensen Thank you for trying to fix the CVE !
   Could you NOT edit `package-lock.json` directly?
   Instead, please edit `dev/package.json`, then run `npm install` in the `dev` directory to update `package-lock.json`.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] AmplabJenkins commented on pull request #35628: [SPARK-38303][BUILD] Upgrade `ansi-regex` from 5.0.0 to 5.0.1 in /dev

Posted by GitBox <gi...@apache.org>.

AmplabJenkins commented on pull request #35628:
URL: https://github.com/apache/spark/pull/35628#issuecomment-1049682393


   Can one of the admins verify this patch?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] bjornjorgensen commented on pull request #35628: [SPARK-38303][BUILD] Upgrade `ansi-regex` from 5.0.0 to 5.0.1 in /dev

Posted by GitBox <gi...@apache.org>.

bjornjorgensen commented on pull request #35628:
URL: https://github.com/apache/spark/pull/35628#issuecomment-1049037084


   @sarutak ok I'm trying with [Latest LTS Version: 16.14.0 (includes npm 8.3.1)](https://nodejs.org/en/download/)   
   
   ` npm install
   npm WARN old lockfile
   npm WARN old lockfile The package-lock.json file was created with an old version of npm,
   npm WARN old lockfile so supplemental metadata must be fetched from the registry.       
   npm WARN old lockfile 
   npm WARN old lockfile This is a one-time fix-up, please be patient...
   npm WARN old lockfile
   
   added 118 packages, and audited 119 packages in 5s
   
   15 packages are looking for funding
     run `npm fund` for details
   
   1 moderate severity vulnerability
   
   To address all issues, run:
     npm audit fix
   
   Run `npm audit` for details.
   npm notice
   npm notice New minor version of npm available! 8.3.1 -> 8.5.1
   npm notice Changelog: https://github.com/npm/cli/releases/tag/v8.5.1
   npm notice Run npm install -g npm@8.5.1 to update!
   npm notice`


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] sarutak commented on a change in pull request #35628: [SPARK-38303][BUILD] Upgrade `ansi-regex` from 5.0.0 to 5.0.1 in /dev

Posted by GitBox <gi...@apache.org>.

sarutak commented on a change in pull request #35628:
URL: https://github.com/apache/spark/pull/35628#discussion_r813911696



##########
File path: dev/package.json
##########
@@ -1,5 +1,8 @@
 {
   "devDependencies": {
     "eslint": "^7.25.0"
+  },
+  "dependencies": {
+    "ansi-regex": "^5.0.1"

Review comment:
       Please move this entry to `devDependencies`.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] bjornjorgensen commented on pull request #35628: [SPARK-38303][BUILD] Upgrade `ansi-regex` from 5.0.0 to 5.0.1 in /dev

Posted by GitBox <gi...@apache.org>.

bjornjorgensen commented on pull request #35628:
URL: https://github.com/apache/spark/pull/35628#issuecomment-1049921212


   @sarutak I now have 
   
   {
     "devDependencies": {
       "eslint": "^7.25.0",
       "ansi-regex": "^5.0.1"
     }
   }
   
   in `package.json` and when I run  `npm install`
   npm WARN old lockfile
   npm WARN old lockfile The package-lock.json file was created with an old version of npm,
   npm WARN old lockfile so supplemental metadata must be fetched from the registry.
   npm WARN old lockfile 
   npm WARN old lockfile This is a one-time fix-up, please be patient...
   npm WARN old lockfile 
   
   added 118 packages, and audited 119 packages in 3s
   
   15 packages are looking for funding
     run `npm fund` for details
   
   found 0 vulnerabilities
   
   I'm using npm@8.3.1
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] sarutak commented on pull request #35628: [SPARK-38303][BUILD] Upgrade `ansi-regex` from 5.0.0 to 5.0.1 in /dev

Posted by GitBox <gi...@apache.org>.

sarutak commented on pull request #35628:
URL: https://github.com/apache/spark/pull/35628#issuecomment-1050465039


   Merged to `master` and `branch-3.2`. Thank you, all !


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org