search

dwyl / hapi-auth-jwt2

:lock: Secure Hapi.js authentication plugin using JSON Web Tokens (JWT) in Headers, URL or Cookies
ISC License
798 stars 126 forks source link

V10.4.0 #375

Closed nelsonic closed 1 year ago

nelsonic commented 1 year ago

This PR creates a new [maintenance] release for the package. 📦 To publish a version with the updated jsonwebtoken dependency https://github.com/dwyl/hapi-auth-jwt2/pull/374 ⬆️

Changelog:

# Version 10.3.0 - Security Update to `jsonwebtoken` Dependency

Update version of `jsonwebtoken` dependency to latest
to avoid security issues. 
See: https://github.com/dwyl/hapi-auth-jwt2/pull/374 thanks @AntoineAA 
More detail in: https://github.com/dwyl/hapi-auth-jwt2/pull/373 thanks Snyk.

Sadly the deps badges are no longer working: Dependencies Status devDependencies Status

Removing from README.md ✂️

Also:

nelsonic commented 1 year ago

@snyk finds 4 issues with this PR, all jsonwebtoken: image

Thanks @snyk, suuuuuuuper helpful. Thanks for failing the build that releases the new version of the package to fix the problem you've identified. 🎉

nelsonic commented 1 year ago

Meanwhile what I really want is to know if the CI (GitHub Actions) is passing so I know if Hapi@v21 works ... 🤷‍♂️

nelsonic commented 1 year ago

OK. I'm done with @snyk between them creating a PR as me #373 🤦‍♂️ and now prematurely failing this build that is updating the issue they have identified ... done. 🙅

nelsonic commented 1 year ago

What kind of security system allows a manual override? 🤦‍♂️ https://app.snyk.io/org/nelsonic/pr-checks/2af9b479-c08f-4551-8e13-e0815297bc90 snyk-manual-overrid

This is an acknowledgement that their system is fundamentally broken. 💔

nelsonic commented 1 year ago

"Mark as successful" indeed ... image

nelsonic commented 1 year ago

Attempted to run npm audit fix ... got:

npm ERR! code ERESOLVE
npm ERR! ERESOLVE could not resolve
npm ERR! 
npm ERR! While resolving: eslint-plugin-prettier@3.1.3
npm ERR! Found: eslint@7.0.0-rc.0
npm ERR! node_modules/eslint
npm ERR!   dev eslint@"^7.0.0-alpha.0" from the root project
npm ERR! 
npm ERR! Could not resolve dependency:
npm ERR! peer eslint@">= 5.0.0" from eslint-plugin-prettier@3.1.3
npm ERR! node_modules/eslint-plugin-prettier
npm ERR!   dev eslint-plugin-prettier@"^3.1.2" from the root project
npm ERR! 
npm ERR! Conflicting peer dependency: eslint@8.31.0
npm ERR! node_modules/eslint
npm ERR!   peer eslint@">= 5.0.0" from eslint-plugin-prettier@3.1.3
npm ERR!   node_modules/eslint-plugin-prettier
npm ERR!     dev eslint-plugin-prettier@"^3.1.2" from the root project
npm ERR! 
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force, or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
nelsonic commented 1 year ago

Gonna try and manually update eslint and prettier ... 🧑‍💻⏳ 🙄

nelsonic commented 1 year ago

Somewhat predictably ...

npm run lint

> hapi-auth-jwt2@10.3.0 lint
> eslint lib

/Users/n/code/hapi-auth-jwt2/lib/index.js
   20:21  error  Insert `·`                                                                                                                                         prettier/prettier
   46:37  error  Insert `·`                                                                                                                                         prettier/prettier
   56:32  error  Insert `·`                                                                                                                                         prettier/prettier
   64:35  error  Insert `·`                                                                                                                                         prettier/prettier
   73:31  error  Insert `·`                                                                                                                                         prettier/prettier
   85:40  error  Insert `·`                                                                                                                                         prettier/prettier
  184:12  error  Replace `⏎········isValid,⏎········credentials,⏎········response,⏎········errorMessage,` with `·isValid,·credentials,·response,·errorMessage·}·=`  prettier/prettier
  189:7   error  Replace `}·=` with `·`                                                                                                                             prettier/prettier
  324:36  error  Insert `·`                                                                                                                                         prettier/prettier
  340:33  error  Insert `·`                                                                                                                                         prettier/prettier
  371:28  error  Insert `·`                                                                                                                                         prettier/prettier
  402:23  error  Insert `·`                                                                                                                                         prettier/prettier
  410:20  error  Replace `err` with `(err)`                                                                                                                         prettier/prettier
  424:27  error  Insert `·`                                                                                                                                         prettier/prettier

✖ 14 problems (14 errors, 0 warnings)
  14 errors and 0 warnings potentially fixable with the `--fix` option.

This is silly.

20:21  error  Insert `·`

the line in question is: https://github.com/dwyl/hapi-auth-jwt2/blob/0cf2b34234d713157c453a1bedcffa8a63695cce/lib/index.js#L20

How does this line need a . on it? 🤷‍♂️

nelsonic commented 1 year ago

Through a little investigation, 🔍 it turns out that the latest version of prettier doesn't allow the function keyword. 🤷‍♂️ Everything has to be => (arrow functions) ... 🤦‍♂️

Sooooo glad I don't write JS anymore. This is suuuuper lame! the function keyword is perfectly fine! why do the Küel Kids have to ruin perfectly working code?! 🤦‍♂️

codecov[bot] commented 1 year ago

Codecov Report

:exclamation: No coverage uploaded for pull request base (main@0cf2b34). Click here to learn what that means. The diff coverage is n/a.

@@           Coverage Diff            @@
##             main      #375   +/-   ##
========================================
  Coverage        ?   100.00%           
========================================
  Files           ?         2           
  Lines           ?       134           
  Branches        ?         0           
========================================
  Hits            ?       134           
  Misses          ?         0           
  Partials        ?         0

:mega: We’re building smart automated test selection to slash your CI/CD build times. Learn more

nelsonic commented 1 year ago

Much better:

image

nelsonic commented 1 year ago

@SimonLab please take a look and merge when you're back at your desk. Thanks. 🙏