Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make sure that minimist gets bumped past the vulnerable version #322

Merged
merged 1 commit into from Mar 22, 2020
Merged

Make sure that minimist gets bumped past the vulnerable version #322

merged 1 commit into from Mar 22, 2020

Conversation

freben
Copy link
Member

@freben freben commented Mar 19, 2020
edited

History revisionism: Did this by only touching the affected packages.

@freben freben requested a review from a team as a code owner March 19, 2020 12:45
@Rugvip
Copy link
Member

Rugvip commented Mar 19, 2020

I guess it works until it doesn't? 😁

Never actually tried yarn.lock regeneration as a strategy in any project, kinda hoping it would work though.

Can't find much on the web btw, some discussion here https://stackoverflow.com/questions/52928016/is-there-an-appropriate-time-to-routinely-delete-yarn-lock-package-lock-json

@freben
Copy link
Member Author

freben commented Mar 19, 2020

Yeah. The thing here, if I understand it correctly, is that we depend on A which depends on B@^1.1.1 which depends on C@badversion, and B comes out with a new patch version that depends on C@goodversion. And we want to sort of update "in the middle of" the tree.

@freben
Copy link
Member Author

freben commented Mar 19, 2020

more context: eslint/eslint#13050

@Rugvip
Copy link
Member

Rugvip commented Mar 19, 2020

Hmm, solved that before just modifying yarn.lock. In this case you should be able to just delete the bad entries from yarn.lock and re-run yarn

@freben freben changed the title Recreate fresh yarn.lock, removes at least some of the minimist security issue deps Make sure that minimist gets bumped past the vulnerable version Mar 22, 2020
@freben freben merged commit 31e11b0 into master Mar 22, 2020
@freben freben deleted the freben/yarnlock branch March 22, 2020 20:29
tjg184 pushed a commit to tjg184/backstage that referenced this pull request Sep 24, 2022
@Irma12
Merge pull request backstage#322 from cmpadden/feat/change-default-port
c5c953c 
Change default backend port from 7000 to 7007
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Rugvip Rugvip Rugvip approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@freben @Rugvip