New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bump rimraf to 5.0.5 to fix DoS #707
base: master
Are you sure you want to change the base?
Conversation
Older versions of rimraf transitively depended on a package called inflight, which is no longer maintained, and current has a medium severity security vulnerability associated with it. Newer versions of rimraf rely on a newer version of glob, which no longer imports inflight. Due to the differences in major version, rimraf has since changed their API. They now return promises (as opposed to callbacks), and as a result, we need to provide two functions to the .then() continuation to invoke the callback correctly (with the parameters in the correct order).
Looks like the CI is failing for a couple of reasons:
The readme specifies node version 8 is supported, however I don't think there is a safe version of rimraf that will work. A transitive dependency in rimraf uses newer Ecmascript features which are not supported in some older node versions. Is v8 really the minimum still? Can I suggest bumping to v18 (LTS)? |
FYI, the documentation in the README is incorrect. The minimum node version required is actually 10. Output from
This PR bumps the minimum node version required to 14.17:
I recommend we also add |
any plans on this ? |
accepting this PR would be very useful! |
Please insert the line |
Thanks @cclauss, that fixed the build for NodeJS 14. The others are failing due to syntax errors, as expected. I'm going to revert that commit and instead apply the patch from your PR, #709, which will update the CI to sane versions of NodeJS (and include the crosswalk fix). Applied by:
|
Preferably, let me know when your branch merges in (if ever), and I'll remove the latest commit prior to this being merged, to keep attribution clean. |
Older versions of rimraf transitively depended on a package called inflight, which is no longer maintained, and current has a medium severity security vulnerability associated with it. https://security.snyk.io/vuln/SNYK-JS-INFLIGHT-6095116
Newer versions of rimraf rely on a newer version of glob, which no longer imports inflight.
Due to the differences in major version, rimraf has since changed their API. They now return promises (as opposed to callbacks), and as a result, we need to provide two functions to the .then() continuation to invoke the callback correctly (with the parameters in the correct order).