search

kentcdodds / babel-plugin-macros

🎣 Allows you to build simple compile-time libraries
https://npm.im/babel-plugin-macros
MIT License
2.62k stars 135 forks source link

update cosmiconfig for yaml vulnerability fix #193

Closed ricardo-passthrough closed 1 year ago

ricardo-passthrough commented 1 year ago

What:

Updating the pinned version of cosmiconfig

Why:

fix vulnerability report from npm audit:

# npm audit report

yaml  <2.2.2
Severity: moderate
Uncaught Exception in yaml - https://github.com/advisories/GHSA-f9xv-q969-pqx4
fix available via `npm audit fix --force`
Will install @emotion/react@11.9.3, which is a breaking change
node_modules/yaml
  cosmiconfig  6.0.0 - 7.1.0
  Depends on vulnerable versions of yaml
  node_modules/cosmiconfig
    babel-plugin-macros  >=2.6.2
    Depends on vulnerable versions of cosmiconfig
    node_modules/babel-plugin-macros
      @emotion/babel-plugin  >=11.9.5
      Depends on vulnerable versions of babel-plugin-macros
      node_modules/@emotion/babel-plugin
        @emotion/react  >=11.10.0
        Depends on vulnerable versions of @emotion/babel-plugin
        node_modules/@emotion/react
        @emotion/styled  >=11.10.0
        Depends on vulnerable versions of @emotion/babel-plugin
        node_modules/@emotion/styled

6 moderate severity vulnerabilities

How:

  1. update the packages on package.json
  2. adjusted some tests for minor cosmetic changes on snapshots

Checklist:

conartist6 commented 1 year ago

Also thanks for contributing this! A new major version isn't necessarily a blocker if this is the right technical choice, but I want to make sure that if the library is doing a major version bump that all the choices have been considered first. I think that also means reviewing the trade-offs between this and #183.

jonathan3692bf commented 1 year ago

What about making this a patch level change, while y'all consider dropping yaml support entirely (#183) a major/breaking change?

conartist6 commented 1 year ago

@jonathan3692bf I am inclined to do nothing for now, since it was my determination over on #192 that this PR is an attempt to fix an issue that does not exist.

jonathan3692bf commented 1 year ago

You bring up a good point in #192; updating this would be the equivalent of "sanitation theater"...

ricardo-passthrough commented 1 year ago

closing the PR for now, thanks for the discussion!