You are viewing a plain text version of this content. The canonical link for it is here.

Posted to reviews@helix.apache.org by GitBox <gi...@apache.org> on 2022/06/21 23:45:37 UTC

[GitHub] [helix] micahstubbs opened a new pull request, #2164: yarn add -D yargs-parser@21

micahstubbs opened a new pull request, #2164:
URL: https://github.com/apache/helix/pull/2164

   ### Issues
   
   - [x] My PR addresses the following Helix issues and references them in the PR description:
   
   fix #2163
   
   ### Description
   
   - [x] Here are some details about my PR, including screenshots of any UI changes:
   
   This PR should resolve this security vulnerability by upgrading the affected package:
   
   ```
   yargs-parser@20.0.0: Vulnerability found:  
   vulnerability: yargs-parser is vulnerable to 
   Regular Expression Denial of Service (ReDoS). 
   The `isUnknownOption` function in `yargs-parser.ts` does not 
   properly replace `-` characters from parse, allowing a malicious 
   user to slow down or hang the application when unknown-options-as-args 
   is set to true.
   ```
   
   The latest yargs-parser major version is 21.  The breaking change is dropping support for node 10.  This does not affect helix-front, which currently uses node 14.
   
   https://github.com/yargs/yargs-parser/releases/tag/yargs-parser-v21.0.0
   
   This means we should be able to resolve this security vulnerability by manually installing the latest yargs-parser as a direct  dev dependency:
   
   ```py
   yarn add -D yargs-parser@21
   ```
   
   which resolves to `yargs-parser@21.0.1` in helix-front's yarn.lock file.
   
   ### Tests
   
   - [x] The following tests are written for this issue:
   
   - The following is the result of the "mvn test" command on the appropriate module:
   
   N/A No Java Changes
   
   ### Commits
   
   - [x] My commits all reference appropriate Apache Helix GitHub issues in their subject lines. In addition, my commits follow the guidelines from "[How to write a good git commit message](http://chris.beams.io/posts/git-commit/)":
   
   
   ### Code Quality
   
   -[x] My diff has been formatted using helix-style.xml 
   (helix-style-intellij.xml if IntelliJ IDE is used)
   
   N/A No Java Changes


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@helix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@helix.apache.org
For additional commands, e-mail: reviews-help@helix.apache.org

[GitHub] [helix] NealSun96 merged pull request #2164: resolve yargs-parser dependency ReDos security vulnerability [helix-front]

Posted by GitBox <gi...@apache.org>.

NealSun96 merged PR #2164:
URL: https://github.com/apache/helix/pull/2164


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@helix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@helix.apache.org
For additional commands, e-mail: reviews-help@helix.apache.org

[GitHub] [helix] micahstubbs commented on pull request #2164: resolve yargs-parser dependency ReDos security vulnerability [helix-front]

Posted by GitBox <gi...@apache.org>.

micahstubbs commented on PR #2164:
URL: https://github.com/apache/helix/pull/2164#issuecomment-1163780024

   What is `@angular-eslint/builder`?
   
   > An Angular CLI Builder which is used to execute ESLint on your Angular projects using standard commands such as ng lint
   
   https://github.com/angular-eslint/angular-eslint#readme
   
   Since none of helix-front's yarn scripts actually call ng-lint, we should be able to safely remove this dependency.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@helix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@helix.apache.org
For additional commands, e-mail: reviews-help@helix.apache.org

[GitHub] [helix] micahstubbs commented on pull request #2164: resolve yargs-parser dependency ReDos security vulnerability [helix-front]

Posted by GitBox <gi...@apache.org>.

micahstubbs commented on PR #2164:
URL: https://github.com/apache/helix/pull/2164#issuecomment-1163784369

   This PR is ready to be merged, approved by @somecodemonkey 
   Final commit message:
   ## resolve yargs-parser dependency ReDos security vulnerability [helix-front] (#2163 )
   Remove helix-front dependency @angular-eslint/builder to resolve security vulnerability 
   in one of its dependencies, yargs-parser.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@helix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@helix.apache.org
For additional commands, e-mail: reviews-help@helix.apache.org