search

enzymejs / enzyme

JavaScript Testing utilities for React
https://enzymejs.github.io/enzyme/
MIT License
19.95k stars 2.01k forks source link

Bump cheerio to @1.0.0-rc.11 #2561

Open vinodkumarsharma276 opened 2 years ago

vinodkumarsharma276 commented 2 years ago

Due to recent security vulnerability in nth-checkv1.2.0 which is fetched transitively from enzyme --> cheerio --> css-select --> .... --> nth-checkv1.2.0.

cherrio@1.0.0-rc.11 removes dependency of css-select which ultimately removes dependency of nth-check

vinodkumarsharma276 commented 2 years ago

Hi @ljharb / @lelandrichardson @koba04 @nfcampos , Can someone take a look at this PR and approve. This will fix security vulnerability with nth-check@1.2.0 which is downloaded transitively using enzyme.

codecov[bot] commented 2 years ago

Codecov Report

Merging #2561 (6c63667) into master (3d286a4) will decrease coverage by 1.68%. The diff coverage is n/a.

@@            Coverage Diff             @@
##           master    #2561      +/-   ##
==========================================
- Coverage   96.31%   94.62%   -1.69%     
==========================================
  Files          49       32      -17     
  Lines        4207     2717    -1490     
  Branches     1130      777     -353     
==========================================
- Hits         4052     2571    -1481     
+ Misses        155      146       -9
Impacted Files Coverage Δ
...enzyme-adapter-utils/src/wrapWithSimpleWrapper.jsx 61.11% <0.00%> (-38.89%) :arrow_down:
packages/enzyme/src/EnzymeAdapter.js 75.00% <0.00%> (-25.00%) :arrow_down:
...ges/enzyme-adapter-react-16/src/detectFiberTags.js 85.24% <0.00%> (-8.20%) :arrow_down:
packages/enzyme/src/ShallowWrapper.js 94.86% <0.00%> (-4.26%) :arrow_down:
...enzyme-adapter-react-16/src/ReactSixteenAdapter.js 93.73% <0.00%> (-1.73%) :arrow_down:
packages/enzyme/src/RSTTraversal.js 96.36% <0.00%> (-0.91%) :arrow_down:
packages/enzyme/src/ReactWrapper.js 99.27% <0.00%> (-0.25%) :arrow_down:
packages/enzyme-adapter-react-14/src/index.js
packages/enzyme-adapter-react-13/src/index.js
packages/enzyme-adapter-react-15.4/src/index.js
... and 14 more

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update 3d286a4...6c63667. Read the comment docs.

ljharb commented 2 years ago

It's worth noting that this is not actually a vulnerability, it's a false positive, at least for enzyme's use case.

ChristopherChudzicki commented 2 years ago

FYI: People (me included!) have been having problems with cheerio 1.0.0-rc.11 see ... https://github.com/cheeriojs/cheerio/issues/2545. It's not clear to me whether this is actually a cheerio issue, or something a bit wonky with mine and others webpack/babel configs.

I mention it here because I, like others in that thread, encountered it through the dependency from enzyme.

tbowmo commented 1 day ago

cheerio 1.0.0 is now released, so perhaps (if anyone ever comes around) it should be updated to that package

ljharb commented 1 day ago

Due to engine requirements, we may never be able to update to it. We’re far more likely to drop the render API.