search

vercel / nft

Node.js dependency tracing utility
https://npmjs.com/@vercel/nft
MIT License
1.31k stars 136 forks source link

chore: Bump tar and npm #407

Closed dependabot[bot] closed 5 months ago

dependabot[bot] commented 5 months ago

Bumps tar to 6.2.1 and updates ancestor dependency npm. These dependencies need to be updated together.

Updates tar from 6.2.0 to 6.2.1

Commits


Updates npm from 6.14.18 to 10.5.2

Release notes

Sourced from npm's releases.

libnpmhook: v10.0.2

10.0.2 (2024-04-03)

Dependencies

libnpmhook: v10.0.1

10.0.1 (2023-12-06)

Chores

libnpmpublish: v9.0.5

9.0.5 (2024-04-03)

Dependencies

libnpmpublish: v9.0.4

9.0.4 (2024-01-24)

Dependencies

libnpmhook: v9.0.4

9.0.4 (2024-02-26)

Chores

libnpmpublish: v9.0.3

9.0.3 (2023-12-06)

Chores

... (truncated)

Changelog

Sourced from npm's changelog.

10.5.2 (2024-04-10)

Bug Fixes

Documentation

Dependencies

Chores

10.5.1 (2024-04-03)

Bug Fixes

... (truncated)

Commits


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/vercel/nft/network/alerts).
styfle commented 5 months ago

Looks like newer versions of npm no longer support programatic access.

So perhaps we should just delete this test

https://github.com/vercel/nft/blob/main/test/integration/npm.js

dependabot[bot] commented 5 months ago

OK, I won't notify you again about this release, but will get in touch when a new version is available.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

knd775 commented 5 months ago

Closing this caused dependabot to ignore tar, even though the PR only addressed npm

edit: It's worth noting that this update was because of a security advisory https://github.com/isaacs/node-tar/security/advisories/GHSA-f5x3-32g6-xq36

styfle commented 5 months ago

@dependabot recreate

dependabot[bot] commented 5 months ago

Looks like this PR is closed. If you re-open it I'll rebase it as long as no-one else has edited it (you can use @dependabot reopen if the branch has been deleted).

styfle commented 5 months ago

@dependabot rebase

dependabot[bot] commented 5 months ago

Looks like these dependencies are no longer a dependency, so this is no longer needed.

knd775 commented 5 months ago

Dependabot can be really dumb sometimes. tar is still a dependency through @mapbox/node-pre-gyp

styfle commented 5 months ago

@knd775 Are you sure? If I do npm remove @mapbox/node-pre-gyp and npm add @mapbox/node-pre-gyp@latest, it doesn't change tar.

knd775 commented 5 months ago

Yeah. Confirmed by npm why tar image

Unfortunately @mapbox/node-pre-gy hasn't been updated, yet. Dependabot updates lockfiles directly for a case like this.

styfle commented 5 months ago

Unfortunately @mapbox/node-pre-gyp hasn't been updated, yet.

Lets get it updated there and then we can bump it in nft. Otherwise, everyone using nft will continue to be impacted by this vulnerability.

styfle commented 5 months ago

Looks like someone already created a PR:

knd775 commented 4 months ago

Looks like this is unlikely to be fixed: https://github.com/mapbox/node-pre-gyp/pull/713#issuecomment-2106906021

styfle commented 4 months ago

Is there a successor/fork?

knd775 commented 4 months ago

I did a quick search through github repos that switched from node-pre-gyp and nearly all of them just switched to rust based alternatives. That doesn't really work for your use case, since you all are using it to find binaries other people are binding using node-pre-gyp. Not sure that you all have any good options here. Could probably just vendor the utils you need since the BSD license is compatible with MIT.

styfle commented 4 months ago

I wonder if we even need to include the dependency at all.

I looked at how consumers are using it (for example, argon2) and its just a single function export:

const binary = require("@mapbox/node-pre-gyp");
const bindingPath = binary.find(path.resolve(__dirname, "./package.json"));

So perhaps we could implement this find() function easily assuming its just reading the package.json.

Do you want to submit a PR to implement this?