Closed AndrewOCC closed 3 years ago
npm ls
output after upgrade:
├─┬ gatsby-cli@2.19.2
│ └─┬ yargs@15.4.1
│ └── yargs-parser@18.1.3
└─┬ standard-version@4.4.0
└─┬ yargs@8.0.2
└── yargs-parser@7.0.0
Thanks for your PR. Looking at this with a fresh eye, I wonder if Gatsby-cli shouldn't be a peer dependency instead. Have you tried this out with the major change here?
Thanks!
I haven't tried setting gatsby-cli as a peer dependency; I can see the logic of that change. The library's brought in by gatsby, and if the gatsby version isn't compatible users can bring in the right version explicitly.
Do you suggest I make that change as part of this PR and list it as a breaking change?
I'm wondering now if it would be worth merging this bump for now, and the peer dependency breaking change can be done as a follow-up PR. This would allow consumers of this library to get the security improvement as a patch instead of a major.
I think first and foremost it makes sense to plug the security vulnerability for the largest amount of consumers possible 👍 A patch upgrade is painless and can be automated (with tools like dependabot, renovate, etc.) but a major causes that extra bit of friction
note that this library isn't stable yet, so 0.x is marked as a breaking change
released as 0.16.4, thanks for your help!
in 0.17.0 I've made it a peer dependency, thanks for your work!
Yargs-parser has a prototype pollution vulnerability; the library is brought in as a transitive dependency by
gatsby-cli
. This PR bumps the version of gatsby-cli; the library is also brought in by standard-version, but that's a dev dependency.For more information on the vulnerability, see: https://www.sourceclear.com/vulnerability-database/security/prototype-pollution/javascript/sid-22715
fixes https://github.com/algolia/gatsby-plugin-algolia/issues/119