Closed kirkegaard closed 2 years ago
SvenKirschbaum
commented
2 years ago Hello!
I don't have much experience regarding such things myself, but the issue with url-parse should have already been fixed ~2.5 weeks ago (https://github.com/fallobst22/react-stomp-hooks/commit/4fdf2862891e3d64da77953a6beac9c64b971126). Are you using the latest version (2.0.3) already?
kirkegaard
commented
2 years ago I am yes but because the version of sockjs-client you're using has a dependency on an older version of url-parse (1.5.7) im getting that one down. If you do a yarn why url-parse or npm ls url-parse you should see the older version.
$ yarn why url-parse
yarn why v1.22.18
[1/4] 🤔 Why do we have the module "url-parse"...?
[2/4] 🚚 Initialising dependency graph...
[3/4] 🔍 Finding dependency...
[4/4] 🚡 Calculating file sizes...
=> Found "url-parse@1.5.7"
info Reasons this module exists
- "react-stomp-hooks#sockjs-client" depends on it
- Hoisted from "react-stomp-hooks#sockjs-client#url-parse"
- Hoisted from "react-stomp-hooks#sockjs-client#eventsource#original#url-parse"
info Disk size without dependencies: "80KB"
info Disk size with unique dependencies: "124KB"
info Disk size with transitive dependencies: "124KB"
info Number of shared dependencies: 2
✨ Done in 0.41s.And hello :D Nice to meet you! Thank you for your work on react-stomp-hooks!
SvenKirschbaum
commented
2 years ago I just tried creating a new project, and added react-stomp-hooks as the (only) dependency. The version of url-parse automatically installed was 1.5.10.
From my understanding, when you add this package as dependency, because the dependency on sockjs-client uses a caret, the latest compatible version is automatically installed. For older projects, running something like yarn upgrade should update to the latest version too. This would be consistent with my observation above. I attached the output of the commans below.
However, thinking about this again, its probably a good idea to force the update by updating the minimum required version, as this is a potential security issue. I will therefore merge your pull request. Thanks for the effort!
PS > npm why url-parse
url-parse@1.5.10
node_modules/url-parse
url-parse@"^1.4.3" from original@1.0.2
node_modules/original
original@"^1.0.0" from eventsource@1.1.0
node_modules/eventsource
eventsource@"^1.1.0" from sockjs-client@1.6.0
node_modules/sockjs-client
sockjs-client@"^1.5.1" from react-stomp-hooks@2.0.3
node_modules/react-stomp-hooks
react-stomp-hooks@"^2.0.3" from the root project
url-parse@"^1.5.10" from sockjs-client@1.6.0
node_modules/sockjs-client
sockjs-client@"^1.5.1" from react-stomp-hooks@2.0.3
node_modules/react-stomp-hooks
react-stomp-hooks@"^2.0.3" from the root projectPS > yarn why url-parse
yarn why v1.22.18
[1/4] Why do we have the module "url-parse"...?
[2/4] Initialising dependency graph...
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "url-parse@1.5.10"
info Reasons this module exists
- "react-stomp-hooks#sockjs-client" depends on it
- Hoisted from "react-stomp-hooks#sockjs-client#url-parse"
- Hoisted from "react-stomp-hooks#sockjs-client#eventsource#original#url-parse"
info Disk size without dependencies: "80KB"
info Disk size with unique dependencies: "124KB"
info Disk size with transitive dependencies: "124KB"
info Number of shared dependencies: 2
Done in 0.08s.❤️
This bumps the version of sockjs-client, stompjs and lockfile. Sockjs seems to have upgraded to the newer version of
url-parsewhich fixes a vulnerability. We were seeing error notifications from dependabot because of this. Hopefully this will fix that :) I hope this is the correct way of fixing such a thing. If not im sorry!