Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

markdown-it: remove dependency highlight.js (and only keep @types/highlight.js) to resolve vulnerability GHSA-7wwv-vh3v-89cq #49964

Merged
merged 4 commits into from Dec 16, 2020
Merged

markdown-it: remove dependency highlight.js (and only keep @types/highlight.js) to resolve vulnerability GHSA-7wwv-vh3v-89cq #49964

merged 4 commits into from Dec 16, 2020

Conversation

UNIDY2002
Copy link
Contributor

Please fill in this template.

Select one of these and delete the others:

If changing an existing definition:

  • Provide a URL to documentation or source code which provides context for the suggested changes: GHSA-7wwv-vh3v-89cq
  • If this PR brings the type definitions up to date with a new version of the JS library, update the version number in the header.
  • If you are making substantial changes, consider adding a tslint.json containing { "extends": "dtslint/dt.json" }. If for reason the any rule need to be disabled, disable it for that line using // tslint:disable-next-line [ruleName] and not for whole package so that the need for disabling can be reviewed.

Note: besides, adjustments have been made in line with the changed API: markdown-it/markdown-it#626

@typescript-bot typescript-bot added the Popular package This PR affects a popular package (as counted by NPM download counts). label Dec 5, 2020
@typescript-bot typescript-bot added this to Waiting for Code Reviews in New Pull Request Status Board Dec 5, 2020
@typescript-bot
Copy link
Contributor

typescript-bot commented Dec 5, 2020
edited

@UNIDY2002 Thank you for submitting this PR!

This is a live comment which I will keep updated.

1 package in this PR

Code Reviews

Because you edited one package and updated the tests (👏), I can help you merge this PR once someone else signs off on it.

Status

  • ✅ No merge conflicts
  • ✅ Continuous integration tests have passed
  • ✅ Most recent commit is approved by type definition owners or DT maintainers

All of the items on the list are green. To merge, you need to post a comment including the string "Ready to merge" to bring in your changes.

Diagnostic Information: What the bot saw about this PR 
{
  "type": "info",
  "now": "-",
  "pr_number": 49964,
  "author": "UNIDY2002",
  "headCommitAbbrOid": "f6e7cf5",
  "headCommitOid": "f6e7cf5ec78bd152393f847e4dd60a0761b7830a",
  "lastPushDate": "2020-12-05T08:36:47.000Z",
  "lastActivityDate": "2020-12-16T13:27:11.000Z",
  "maintainerBlessed": false,
  "mergeOfferDate": "2020-12-16T13:25:19.000Z",
  "mergeRequestDate": "2020-12-16T13:27:11.000Z",
  "mergeRequestUser": "UNIDY2002",
  "hasMergeConflict": false,
  "isFirstContribution": false,
  "popularityLevel": "Popular",
  "pkgInfo": [
    {
      "name": "markdown-it",
      "kind": "edit",
      "files": [
        {
          "path": "types/markdown-it/index.d.ts",
          "kind": "definition"
        },
        {
          "path": "types/markdown-it/lib/index.d.ts",
          "kind": "definition"
        },
        {
          "path": "types/markdown-it/package.json",
          "kind": "package-meta-ok"
        },
        {
          "path": "types/markdown-it/test/index.ts",
          "kind": "test"
        }
      ],
      "owners": [
        "plantain-00",
        "rapropos",
        "duduluu"
      ],
      "addedOwners": [],
      "deletedOwners": [],
      "popularityLevel": "Popular"
    }
  ],
  "reviews": [
    {
      "type": "approved",
      "reviewer": "plantain-00",
      "date": "2020-12-16T13:24:41.000Z",
      "isMaintainer": false
    }
  ],
  "ciResult": "pass"
}

@typescript-bot
Copy link
Contributor

🔔 @plantain-00 @rapropos @duduluu — please review this PR in the next few days. Be sure to explicitly select Approve or Request Changes in the GitHub UI so I know what's going on.

@typescript-bot typescript-bot added the The CI failed When GH Actions fails label Dec 5, 2020
@typescript-bot typescript-bot moved this from Waiting for Code Reviews to Needs Author Action in New Pull Request Status Board Dec 5, 2020
@typescript-bot
Copy link
Contributor

@UNIDY2002 The CI build failed! Please review the logs for more information.

Once you've pushed the fixes, the build will automatically re-run. Thanks!

@typescript-bot
Copy link
Contributor

👋 Hi there! I’ve run some quick measurements against master and your PR. These metrics should help the humans reviewing this PR gauge whether it might negatively affect compile times or editor responsiveness for users who install these typings.

Let’s review the numbers, shall we?

These typings are for a version of markdown-it that doesn’t yet exist on master, so I’ve compared them with v10.0.

Comparison details 📊
10.0@master 12.0 in #49964 diff
Batch compilation
Memory usage (MiB) 83.0 83.0 0.0%
Type count 10780 11026 +2%
Assignability cache size 3516 3550 +1%
Language service
Samples taken 1008 1011 0%
Identifiers in tests 1008 1011 0%
getCompletionsAtPosition
    Mean duration (ms) 354.4 355.0 +0.2%
    Mean CV 9.5% 9.0%
    Worst duration (ms) 493.5 534.6 +8.3%
    Worst identifier stateInline stateInline
getQuickInfoAtPosition
    Mean duration (ms) 357.6 360.5 +0.8%
    Mean CV 9.5% 9.8%
    Worst duration (ms) 478.8 480.2 +0.3%
    Worst identifier use pos

It looks like nothing changed too much. I won’t post performance data again unless it gets worse.

@typescript-bot typescript-bot added the Perf: Same typescript-bot determined that this PR will not significantly impact compilation performance. label Dec 5, 2020
@UNIDY2002
Revert dependency highlight.js to ^9.7.0
c0cf2db 
(So that the TypeScript version can remain 2.0, and will not break the requirements of the dependents of this library.)
@typescript-bot typescript-bot removed the The CI failed When GH Actions fails label Dec 5, 2020
@typescript-bot typescript-bot moved this from Needs Author Action to Waiting for Code Reviews in New Pull Request Status Board Dec 5, 2020
@UNIDY2002 UNIDY2002 changed the title markdown-it: update dependency highlight.js to resolve vulnerability GHSA-7wwv-vh3v-89cq markdown-it: remove dependency highlight.js (and only keep @types/highlight.js) to resolve vulnerability GHSA-7wwv-vh3v-89cq Dec 5, 2020
@UNIDY2002
Copy link
Contributor Author

So, any updates?

@typescript-bot typescript-bot added the Unreviewed No one showed up to review this PR, so it'll be reviewed by a DT maintainer. label Dec 16, 2020
@typescript-bot
Copy link
Contributor

Re-ping @plantain-00, @rapropos, @duduluu:

This PR has been out for over a week, yet I haven't seen any reviews.

Could someone please give it some attention? Thanks!

@typescript-bot typescript-bot added Owner Approved A listed owner of this package signed off on the pull request. Self Merge This PR can now be self-merged by the PR author or an owner and removed Unreviewed No one showed up to review this PR, so it'll be reviewed by a DT maintainer. labels Dec 16, 2020
@typescript-bot typescript-bot moved this from Waiting for Code Reviews to Waiting for Author to Merge in New Pull Request Status Board Dec 16, 2020
@typescript-bot
Copy link
Contributor

@UNIDY2002 Everything looks good here. Great job! I am ready to merge this PR (at f6e7cf5) on your behalf.

If you'd like that to happen, please post a comment saying:

Ready to merge

and I'll merge this PR almost instantly. Thanks for helping out! ❤️

(@plantain-00, @rapropos, @duduluu: you can do this too.)

@UNIDY2002
Copy link
Contributor Author

Ready to merge

@typescript-bot typescript-bot moved this from Waiting for Author to Merge to Recently Merged in New Pull Request Status Board Dec 16, 2020
@typescript-bot typescript-bot merged commit 305f212 into DefinitelyTyped:master Dec 16, 2020
@typescript-bot
Copy link
Contributor

I just published @types/markdown-it@12.0.0 to npm.

@typescript-bot typescript-bot removed this from Recently Merged in New Pull Request Status Board Dec 16, 2020
@Mister-Hope
Copy link
Contributor

Mister-Hope commented Dec 20, 2020
edited

Hi there, I am a bit confused. Since markdown-it@v12 is already using hightlight.js@v10, why revert back to v9?🧐 @UNIDY2002

Edit: I found that you seem wanna support TypescriptV2, but I disagree about this.

  1. Typescript version below 3.2 is no longer supported.
  2. 0.10.x to 0.12.0 is a version change. So CI and bots like dependabot will think that it may contain breaking changes, so no one will automatically update to 0.12 and no one's environment will be broken. They are free to decide whether to upgrade to 0.12.0.

@UNIDY2002
Copy link
Contributor Author

@Mister-Hope Sorry for the late reply (I was surprised to find the email notification in my junk list...)

I did this because when I first tried to simply bump the version up (07069a8), the CI of DefinitelyTyped wouldn't pass as some dependents of markdown-it require a lower version of TypeScript. (See: https://github.com/DefinitelyTyped/DefinitelyTyped/runs/1502774285) So I could only make a compromise.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@plantain-00 plantain-00 plantain-00 approved these changes

Assignees
No one assigned
Labels
Owner Approved A listed owner of this package signed off on the pull request. Perf: Same typescript-bot determined that this PR will not significantly impact compilation performance. Popular package This PR affects a popular package (as counted by NPM download counts). Self Merge This PR can now be self-merged by the PR author or an owner
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@UNIDY2002 @typescript-bot @Mister-Hope @plantain-00