search

max-mapper / nugget

minimalist wget clone written in node. HTTP GET files and downloads them into the current directory
BSD 3-Clause "New" or "Revised" License
167 stars 30 forks source link

bump pretty-bytes to ^4.0.2 #27

Closed pklingem closed 2 years ago

pklingem commented 6 years ago

pretty-bytes has a nth-level dependency with a security vulnerability (parse-json which vendors in unicode.js) bumping pretty-bytes significantly reduces the number of dependencies.

npm list results:

before:

├─┬ pretty-bytes@1.0.4
│ ├── get-stdin@4.0.1
│ └─┬ meow@3.7.0
│   ├─┬ camelcase-keys@2.1.0
│   │ ├── camelcase@2.1.1
│   │ └── map-obj@1.0.1 deduped
│   ├── decamelize@1.2.0
│   ├─┬ loud-rejection@1.6.0
│   │ ├─┬ currently-unhandled@0.4.1
│   │ │ └── array-find-index@1.0.2
│   │ └── signal-exit@3.0.2
│   ├── map-obj@1.0.1
│   ├── minimist@1.2.0 deduped
│   ├─┬ normalize-package-data@2.4.0
│   │ ├── hosted-git-info@2.5.0
│   │ ├─┬ is-builtin-module@1.0.0
│   │ │ └── builtin-modules@1.1.1
│   │ ├── semver@5.4.1
│   │ └─┬ validate-npm-package-license@3.0.1
│   │   ├─┬ spdx-correct@1.0.2
│   │   │ └── spdx-license-ids@1.2.2
│   │   └── spdx-expression-parse@1.0.4
│   ├── object-assign@4.1.1
│   ├─┬ read-pkg-up@1.0.1
│   │ ├─┬ find-up@1.1.2
│   │ │ ├─┬ path-exists@2.1.0
│   │ │ │ └── pinkie-promise@2.0.1 deduped
│   │ │ └─┬ pinkie-promise@2.0.1
│   │ │   └── pinkie@2.0.4
│   │ └─┬ read-pkg@1.1.0
│   │   ├─┬ load-json-file@1.1.0
│   │   │ ├── graceful-fs@4.1.11 deduped
│   │   │ ├─┬ parse-json@2.2.0
│   │   │ │ └─┬ error-ex@1.3.1
│   │   │ │   └── is-arrayish@0.2.1
│   │   │ ├── pify@2.3.0
│   │   │ ├── pinkie-promise@2.0.1 deduped
│   │   │ └─┬ strip-bom@2.0.0
│   │   │   └── is-utf8@0.2.1
│   │   ├── normalize-package-data@2.4.0 deduped
│   │   └─┬ path-type@1.1.0
│   │     ├── graceful-fs@4.1.11 deduped
│   │     ├── pify@2.3.0 deduped
│   │     └── pinkie-promise@2.0.1 deduped
│   ├─┬ redent@1.0.0
│   │ ├─┬ indent-string@2.1.0
│   │ │ └─┬ repeating@2.0.1
│   │ │   └─┬ is-finite@1.0.2
│   │ │     └── number-is-nan@1.0.1 deduped
│   │ └─┬ strip-indent@1.0.1
│   │   └── get-stdin@4.0.1 deduped
│   └── trim-newlines@1.0.0

after:

├── pretty-bytes@4.0.2
pklingem commented 6 years ago

@maxogden tests are passing, any chance to merge this and bump the patch version so folks can clear up security vulnerabilities?

pklingem commented 6 years ago

@maxogden friendly bump.

max-mapper commented 6 years ago

I haven't had time to maintain this lately, anyone else wanna help do releases + testing? @mafintosh is also a contributor

DaeCatt commented 5 years ago

It's been over a year now and the dependency on pretty-bytes@^1.0.2 still produces a massive and completely unnecessary dependency tree for this module (and in turn any module which depends on nugget, eg electron through electron-download).

Please merge this!

GChuf commented 3 years ago

@maxogden & @mafintosh Friendly bump #2 ... Please merge this.

TheIceCreamBear commented 2 years ago

@maxogden Friendly bump of this PR. There are still some packages that use this, and any time you use one of those packages you get an audit warning (and a dependabot warning on GitHub too).

I tried to fix this via npm audit fix and by adding overrides (see npmjs.com) to the package.json of the project I'm working on and neither method was a solution.

This PR is probably the best method to resolve the vulnerability, as I believe most packages that depend on this package would upgrade almost immediately.

busybox11 commented 2 years ago

@maxogden @mafintosh Friendly bump too. Hope you'll see this! I just tried to reach out to Max on Twitter, just in case.

max-mapper commented 2 years ago

published 2.0.2 with this PR