search

eclipse-theia / theia

Eclipse Theia is a cloud & desktop IDE framework implemented in TypeScript.
http://theia-ide.org
Eclipse Public License 2.0
20.06k stars 2.5k forks source link

Upgrade 'yargs' version ('y18n' security issue) #8781

Open DoroNahari opened 3 years ago

DoroNahari commented 3 years ago

Bug Description:

y18n had a security issue that fixed in version 5.0.5. Currently theia is using yargs 11.1.0 which is using y18n < 5.0.5. yargs upgraded to the 5.0.5 y18n version in version 16.1.1.

can we try upgrade to yargs 16.1.1 ?

Additional Information

https://github.com/yargs/yargs/issues/1790 https://github.com/yargs/yargs/commit/ae001f34c968e8f4cda2a832d85b114753f4dee0

vince-fugnitto commented 3 years ago

@DoroNahari sounds good to me :) do you mind preparing a pull-request that updates the dependency, and it’s typings (including updating the source code if necessary)? During the review I’ll determine if the update in version still satisfies our license compatibility.

paul-marechal commented 3 years ago 
yarn why v1.22.4
[1/4] Why do we have the module "y18n"...?
[2/4] Initialising dependency graph...
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "y18n@4.0.0"
info Has been hoisted to "y18n"
info Reasons this module exists
   - "workspace-aggregator-a22e6fbd-0783-4caa-bffc-7d98b30d9096" depends on it
   - Hoisted from "_project_#yargs#y18n"
   - Hoisted from "_project_#@theia#application-manager#copy-webpack-plugin#cacache#y18n"
   - Hoisted from "_project_#@theia#application-manager#@theia#compression-webpack-plugin#cacache#y18n"
   - Hoisted from "_project_#@theia#cli#mocha#yargs#y18n"
   - Hoisted from "_project_#@theia#application-manager#electron-rebuild#yargs#y18n"
   - Hoisted from "_project_#@theia#application-manager#webpack#terser-webpack-plugin#cacache#y18n"
   - Hoisted from "_project_#@theia#cli#mocha#yargs-unparser#yargs#y18n"
=> Found "lerna#y18n@3.2.1"
info Reasons this module exists
   - "_project_#lerna#yargs" depends on it
   - Hoisted from "_project_#lerna#yargs#y18n"
=> Found "webpack-cli#y18n@3.2.1"
info Reasons this module exists
   - "_project_#@theia#application-manager#webpack-cli#yargs" depends on it
   - Hoisted from "_project_#@theia#application-manager#webpack-cli#yargs#y18n"

The y18n vulnerability is listed as affecting 5.0.0 to 5.0.4 but as you can see we don't target any of that. Although I wouldn't be against using a newer version of yargs, feel free to do it while opening CQs if/as required.