Closed dependabot[bot] closed 5 months ago
Looks like newer versions of npm no longer support programatic access.
So perhaps we should just delete this test
https://github.com/vercel/nft/blob/main/test/integration/npm.js
OK, I won't notify you again about this release, but will get in touch when a new version is available.
If you change your mind, just re-open this PR and I'll resolve any conflicts on it.
Closing this caused dependabot to ignore tar
, even though the PR only addressed npm
edit: It's worth noting that this update was because of a security advisory https://github.com/isaacs/node-tar/security/advisories/GHSA-f5x3-32g6-xq36
@dependabot recreate
Looks like this PR is closed. If you re-open it I'll rebase it as long as no-one else has edited it (you can use @dependabot reopen
if the branch has been deleted).
@dependabot rebase
Looks like these dependencies are no longer a dependency, so this is no longer needed.
Dependabot can be really dumb sometimes. tar
is still a dependency through @mapbox/node-pre-gyp
@knd775 Are you sure? If I do npm remove @mapbox/node-pre-gyp
and npm add @mapbox/node-pre-gyp@latest
, it doesn't change tar
.
Yeah. Confirmed by npm why tar
Unfortunately @mapbox/node-pre-gy
hasn't been updated, yet. Dependabot updates lockfiles directly for a case like this.
Unfortunately @mapbox/node-pre-gyp hasn't been updated, yet.
Lets get it updated there and then we can bump it in nft. Otherwise, everyone using nft will continue to be impacted by this vulnerability.
Looks like someone already created a PR:
Looks like this is unlikely to be fixed: https://github.com/mapbox/node-pre-gyp/pull/713#issuecomment-2106906021
Is there a successor/fork?
I did a quick search through github repos that switched from node-pre-gyp
and nearly all of them just switched to rust based alternatives. That doesn't really work for your use case, since you all are using it to find binaries other people are binding using node-pre-gyp
. Not sure that you all have any good options here. Could probably just vendor the utils you need since the BSD license is compatible with MIT.
I wonder if we even need to include the dependency at all.
I looked at how consumers are using it (for example, argon2) and its just a single function export:
const binary = require("@mapbox/node-pre-gyp");
const bindingPath = binary.find(path.resolve(__dirname, "./package.json"));
So perhaps we could implement this find()
function easily assuming its just reading the package.json.
Do you want to submit a PR to implement this?
Bumps tar to 6.2.1 and updates ancestor dependency npm. These dependencies need to be updated together.
Updates
tar
from 6.2.0 to 6.2.1Commits
bef7b1e
6.2.1fe8cd57
prevent extraction in excessively deep subfoldersfe7ebfd
remove security.mdUpdates
npm
from 6.14.18 to 10.5.2Release notes
Sourced from npm's releases.
... (truncated)
Changelog
Sourced from npm's changelog.
... (truncated)
Commits
ca15992
chore: release 10.5.2699a1de
deps:@npmcli/map-workspaces
@3
.0.649fb9b7
deps: socks@2.8.3f69052e
deps:@npmcli/package-json
@5
.0.2ef381b1
fix: use@npmcli/redact
for url cleaning (#7363)3760dd2
fix(perf): do less work loading config (#7361)64bcf4c
fix(perf): only initialize workpaces when we are inside a workspace (#7360)5a28a29
fix(perf): lazy load workspace dependency (#7352)5fc0f9d
fix: lazy load validate npm package name on error message (#7347)81be28d
chore: dev dependency updatesDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show