You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@spark.apache.org by GitBox <gi...@apache.org> on 2022/02/23 10:47:26 UTC
[GitHub] [spark] bjornjorgensen opened a new pull request #35628: [SPARK-38303] Upgrade 'ansi-regex' from 5.0.0 to 5.0.1 in /dev
bjornjorgensen opened a new pull request #35628:
URL: https://github.com/apache/spark/pull/35628
### What changes were proposed in this pull request?
Upgrade ansi-regex from 5.0.0 to 5.0.1 in /dev
### Why are the changes needed?
[CVE-2021-3807](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3807)
[releases notes at github](https://github.com/chalk/ansi-regex/releases)
By upgrading ansi-regex from 5.0.0 to 5.0.1 we will resolve this issue.
### Does this PR introduce _any_ user-facing change?
Some users use remote security scanners and this is one of the issues that comes up. How this can do some damage with spark is highly uncertain. but let's remove the uncertainty that any user may have.
### How was this patch tested?
All test must pass.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] sarutak commented on pull request #35628: [SPARK-38303][BUILD] Upgrade `ansi-regex` from 5.0.0 to 5.0.1 in /dev
Posted by GitBox <gi...@apache.org>.
sarutak commented on pull request #35628:
URL: https://github.com/apache/spark/pull/35628#issuecomment-1049785764
@bjornjorgensen
> @sarutak I first to revers this PR and then I get a lot of errors [SO](https://stackoverflow.com/questions/62653114/how-can-i-deal-with-this-git-warning-pulling-without-specifying-how-to-reconci)
It's not error but WARN and it will be suppressed after `package-lock.json` is updated.
Please update `package.json` and just run `npm`.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] sarutak commented on pull request #35628: [SPARK-38303][BUILD] Upgrade `ansi-regex` from 5.0.0 to 5.0.1 in /dev
Posted by GitBox <gi...@apache.org>.
sarutak commented on pull request #35628:
URL: https://github.com/apache/spark/pull/35628#issuecomment-1049008885
@bjornjorgensen Can you retry with the latest LTS release of `npm` ?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] bjornjorgensen commented on pull request #35628: [SPARK-38303][BUILD] Upgrade `ansi-regex` from 5.0.0 to 5.0.1 in /dev
Posted by GitBox <gi...@apache.org>.
bjornjorgensen commented on pull request #35628:
URL: https://github.com/apache/spark/pull/35628#issuecomment-1048974164
@sarutak I first to revers this PR and then I get a lot of errors [SO](https://stackoverflow.com/questions/62653114/how-can-i-deal-with-this-git-warning-pulling-without-specifying-how-to-reconci)
And then I did
`npm install
npm WARN old lockfile
npm WARN old lockfile The package-lock.json file was created with an old version of npm,
npm WARN old lockfile so supplemental metadata must be fetched from the registry.
npm WARN old lockfile
npm WARN old lockfile This is a one-time fix-up, please be patient...
npm WARN old lockfile
added 118 packages, and audited 119 packages in 16s
15 packages are looking for funding
run `npm fund` for details
1 moderate severity vulnerability
To address all issues, run:
npm audit fix
Run `npm audit` for details.
[bjorn@bjorn-aspirea51751g dev]$ npm audit fix
changed 1 package, and audited 119 packages in 943ms
15 packages are looking for funding
run `npm fund` for details
found 0 vulnerabilities`
But now the `package-lock.json` file is 2245 lines long!
Will you @sarutak take over? I can close this PR after you have copy the text.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] sarutak commented on pull request #35628: [SPARK-38303][BUILD] Upgrade `ansi-regex` from 5.0.0 to 5.0.1 in /dev
Posted by GitBox <gi...@apache.org>.
sarutak commented on pull request #35628:
URL: https://github.com/apache/spark/pull/35628#issuecomment-1049892646
@bjornjorgensen Oh, please run `npm install` to update `package-lock.json` after you modified `package.json`, then push the change.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] sarutak edited a comment on pull request #35628: [SPARK-38303][BUILD] Upgrade `ansi-regex` from 5.0.0 to 5.0.1 in /dev
Posted by GitBox <gi...@apache.org>.
sarutak edited a comment on pull request #35628:
URL: https://github.com/apache/spark/pull/35628#issuecomment-1049892646
@bjornjorgensen Oh, please run `npm install` in `dev` to update `package-lock.json` after you modified `package.json`, then push the change.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] sarutak closed pull request #35628: [SPARK-38303][BUILD] Upgrade `ansi-regex` from 5.0.0 to 5.0.1 in /dev
Posted by GitBox <gi...@apache.org>.
sarutak closed pull request #35628:
URL: https://github.com/apache/spark/pull/35628
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] bjornjorgensen edited a comment on pull request #35628: [SPARK-38303][BUILD] Upgrade `ansi-regex` from 5.0.0 to 5.0.1 in /dev
Posted by GitBox <gi...@apache.org>.
bjornjorgensen edited a comment on pull request #35628:
URL: https://github.com/apache/spark/pull/35628#issuecomment-1049921212
@sarutak I now have
`{
"devDependencies": {
"eslint": "^7.25.0",
"ansi-regex": "^5.0.1"
}
}`
in `package.json` and when I run `npm install`
npm WARN old lockfile
npm WARN old lockfile The package-lock.json file was created with an old version of npm,
npm WARN old lockfile so supplemental metadata must be fetched from the registry.
npm WARN old lockfile
npm WARN old lockfile This is a one-time fix-up, please be patient...
npm WARN old lockfile
added 118 packages, and audited 119 packages in 3s
15 packages are looking for funding
run `npm fund` for details
found 0 vulnerabilities
I'm using npm@8.3.1
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] srowen commented on pull request #35628: [SPARK-38303][BUILD] Upgrade `ansi-regex` from 5.0.0 to 5.0.1 in /dev
Posted by GitBox <gi...@apache.org>.
srowen commented on pull request #35628:
URL: https://github.com/apache/spark/pull/35628#issuecomment-1048854776
Seems reasonable though I confess I don't know what this file is.
@sarutak can you weigh in?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] sarutak commented on pull request #35628: [SPARK-38303][BUILD] Upgrade `ansi-regex` from 5.0.0 to 5.0.1 in /dev
Posted by GitBox <gi...@apache.org>.
sarutak commented on pull request #35628:
URL: https://github.com/apache/spark/pull/35628#issuecomment-1049953966
@bjornjorgensen Please see [this comment](https://github.com/apache/spark/pull/35628#issuecomment-1049785764).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] sarutak commented on pull request #35628: [SPARK-38303][BUILD] Upgrade `ansi-regex` from 5.0.0 to 5.0.1 in /dev
Posted by GitBox <gi...@apache.org>.
sarutak commented on pull request #35628:
URL: https://github.com/apache/spark/pull/35628#issuecomment-1048908863
@bjornjorgensen Thank you for trying to fix the CVE !
Could you NOT edit `package-lock.json` directly?
Instead, please edit `dev/package.json`, then run `npm install` in the `dev` directory to update `package-lock.json`.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] AmplabJenkins commented on pull request #35628: [SPARK-38303][BUILD] Upgrade `ansi-regex` from 5.0.0 to 5.0.1 in /dev
Posted by GitBox <gi...@apache.org>.
AmplabJenkins commented on pull request #35628:
URL: https://github.com/apache/spark/pull/35628#issuecomment-1049682393
Can one of the admins verify this patch?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] bjornjorgensen commented on pull request #35628: [SPARK-38303][BUILD] Upgrade `ansi-regex` from 5.0.0 to 5.0.1 in /dev
Posted by GitBox <gi...@apache.org>.
bjornjorgensen commented on pull request #35628:
URL: https://github.com/apache/spark/pull/35628#issuecomment-1049037084
@sarutak ok I'm trying with [Latest LTS Version: 16.14.0 (includes npm 8.3.1)](https://nodejs.org/en/download/)
` npm install
npm WARN old lockfile
npm WARN old lockfile The package-lock.json file was created with an old version of npm,
npm WARN old lockfile so supplemental metadata must be fetched from the registry.
npm WARN old lockfile
npm WARN old lockfile This is a one-time fix-up, please be patient...
npm WARN old lockfile
added 118 packages, and audited 119 packages in 5s
15 packages are looking for funding
run `npm fund` for details
1 moderate severity vulnerability
To address all issues, run:
npm audit fix
Run `npm audit` for details.
npm notice
npm notice New minor version of npm available! 8.3.1 -> 8.5.1
npm notice Changelog: https://github.com/npm/cli/releases/tag/v8.5.1
npm notice Run npm install -g npm@8.5.1 to update!
npm notice`
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] sarutak commented on a change in pull request #35628: [SPARK-38303][BUILD] Upgrade `ansi-regex` from 5.0.0 to 5.0.1 in /dev
Posted by GitBox <gi...@apache.org>.
sarutak commented on a change in pull request #35628:
URL: https://github.com/apache/spark/pull/35628#discussion_r813911696
##########
File path: dev/package.json
##########
@@ -1,5 +1,8 @@
{
"devDependencies": {
"eslint": "^7.25.0"
+ },
+ "dependencies": {
+ "ansi-regex": "^5.0.1"
Review comment:
Please move this entry to `devDependencies`.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] bjornjorgensen commented on pull request #35628: [SPARK-38303][BUILD] Upgrade `ansi-regex` from 5.0.0 to 5.0.1 in /dev
Posted by GitBox <gi...@apache.org>.
bjornjorgensen commented on pull request #35628:
URL: https://github.com/apache/spark/pull/35628#issuecomment-1049921212
@sarutak I now have
{
"devDependencies": {
"eslint": "^7.25.0",
"ansi-regex": "^5.0.1"
}
}
in `package.json` and when I run `npm install`
npm WARN old lockfile
npm WARN old lockfile The package-lock.json file was created with an old version of npm,
npm WARN old lockfile so supplemental metadata must be fetched from the registry.
npm WARN old lockfile
npm WARN old lockfile This is a one-time fix-up, please be patient...
npm WARN old lockfile
added 118 packages, and audited 119 packages in 3s
15 packages are looking for funding
run `npm fund` for details
found 0 vulnerabilities
I'm using npm@8.3.1
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] sarutak commented on pull request #35628: [SPARK-38303][BUILD] Upgrade `ansi-regex` from 5.0.0 to 5.0.1 in /dev
Posted by GitBox <gi...@apache.org>.
sarutak commented on pull request #35628:
URL: https://github.com/apache/spark/pull/35628#issuecomment-1050465039
Merged to `master` and `branch-3.2`. Thank you, all !
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org