fix: better handling of whitespace #564
Merged
+136
−72
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
lukekarrys
force-pushed
the
lk/whitespace
branch
3 times, most recently
from
0dcb021
to
fc08341
Compare
lukekarrys
force-pushed
the
lk/whitespace
branch
from
fc08341
to
b6db78d
Compare
wraithgar
approved these changes
Jun 15, 2023
Merged
|
Snyk reported that this PR fixed a vulnerability in semver 7.5.1: https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795 According to Snyk, it looks like semver 5.7.1 has the same issue. It seems a lot of packages still depend on semver 5.x. Is there any chance of applying this fix in a 5.7.2 release as well? (I looked but I didn't see a 5.x branch in this repo) |
|
@lukekarrys @wraithgar |
|
At this time, seeing as how v5/6 is a single 1400+ line file with outdated testing deps and no working CI we do not have plans to backport this. |
|
@wraithgar, while I totally side with you on this, it's much more difficult to bulk upgrade semver to v7 across deep dependency trees of even medium side projects. We have 10+ usages of it just in microsoft/vscode. This is a compliment: semver is very popular and its usage is widespread. We thank you for this library! ❤️ That being said, we like to put our commits where our mouth is. I've backported the fix to v5: https://github.com/npm/node-semver/compare/v5.7.1...joaomoreno:joao/backport-564-to-v5?expand=1. I've also fixed the test suites and added the relevant test cases, all green: https://asciinema.org/a/593286. I hope you can consider this for releasing an eventual 5.7.2 version, given your review. If successful, I would gladly backport the same fix to v6. I can't quite create a PR, since there's no v5 branch to upstream against. If you'd like to roll this forward, let's create a v5 branch and we'll create a PR from my ref. |
1 task
|
That would be amazing; semver v7's dropping of node versions means i'm stuck on v6 for basically ever on dozens of packages. |
1 task
1 task
|
The babel team has also stated that they'd fork v6 to fix the issue. babel/babel#15720 (comment) |
This was referenced Jun 29, 2023
|
This is great, we really appreciate the effort! ❤️ Here's my PR for v5: #585 |
|
I will open a PR later for v6, thank you! |
|
@nicolo-ribaudo the If you'd like to try to get all of them in your PR go for it 😄 Otherwise just the fix your have in your fork would be great! |
lukekarrys
added a commit
that referenced
this pull request
Jul 7, 2023
lukekarrys
added a commit
that referenced
this pull request
Jul 7, 2023
|
I appreciate all of your efforts to backport patches to versions that are over 3 years old. |
5 tasks
This was referenced Jul 10, 2023
lukekarrys
added a commit
that referenced
this pull request
Jul 10, 2023
lukekarrys
added a commit
that referenced
this pull request
Jul 10, 2023
This was referenced Jul 31, 2023
vanbasten17
pushed a commit
to hubtype/botonic
that referenced
this pull request
Aug 5, 2023
<p>This PR was automatically created by Snyk using the credentials of a
real user.</p><br /><h3>Snyk has created this PR to upgrade semver from
7.5.2 to 7.5.3.</h3>
:information_source: Keep your dependencies up-to-date. This makes it
easier to fix existing vulnerabilities and to more quickly identify and
fix newly disclosed vulnerabilities when they affect your project.
<hr/>
- The recommended version is **1 version** ahead of your current
version.
- The recommended version was released **a month ago**, on 2023-06-22.
<details>
<summary><b>Release notes</b></summary>
<br/>
<details>
<summary>Package name: <b>semver</b></summary>
<ul>
<li>
<b>7.5.3</b> - <a
href="https://snyk.io/redirect/github/npm/node-semver/releases/tag/v7.5.3">2023-06-22</a></br><h2><a
href="https://snyk.io/redirect/github/npm/node-semver/compare/v7.5.2...v7.5.3">7.5.3</a>
(2023-06-22)</h2>
<h3>Bug Fixes</h3>
<ul>
<li><a
href="https://snyk.io/redirect/github/npm/node-semver/commit/abdd93d55496d22e3c15a454a5cf13f101e48bce"><code>abdd93d</code></a>
<a href="https://snyk.io/redirect/github/npm/node-semver/pull/571"
data-hovercard-type="pull_request"
data-hovercard-url="/npm/node-semver/pull/571/hovercard">#571</a> set
max lengths in regex for numeric and build identifiers (<a
class="issue-link js-issue-link" data-error-text="Failed to load title"
data-id="1770283620" data-permission-text="Title is private"
data-url="npm/node-semver#571"
data-hovercard-type="pull_request"
data-hovercard-url="/npm/node-semver/pull/571/hovercard"
href="https://snyk.io/redirect/github/npm/node-semver/pull/571">#571</a>)
(<a class="user-mention notranslate" data-hovercard-type="user"
data-hovercard-url="/users/lukekarrys/hovercard"
data-octo-click="hovercard-link-click"
data-octo-dimensions="link_type:self"
href="https://snyk.io/redirect/github/lukekarrys">@ lukekarrys</a>)</li>
</ul>
<h3>Documentation</h3>
<ul>
<li><a
href="https://snyk.io/redirect/github/npm/node-semver/commit/bf53dd8da15a17eb6b8111115d0d8ef341fea5db"><code>bf53dd8</code></a>
<a href="https://snyk.io/redirect/github/npm/node-semver/pull/569"
data-hovercard-type="pull_request"
data-hovercard-url="/npm/node-semver/pull/569/hovercard">#569</a> add
example for <code>></code> comparator (<a class="issue-link
js-issue-link" data-error-text="Failed to load title"
data-id="1760207342" data-permission-text="Title is private"
data-url="npm/node-semver#569"
data-hovercard-type="pull_request"
data-hovercard-url="/npm/node-semver/pull/569/hovercard"
href="https://snyk.io/redirect/github/npm/node-semver/pull/569">#569</a>)
(<a class="user-mention notranslate" data-hovercard-type="user"
data-hovercard-url="/users/mbtools/hovercard"
data-octo-click="hovercard-link-click"
data-octo-dimensions="link_type:self"
href="https://snyk.io/redirect/github/mbtools">@ mbtools</a>)</li>
</ul>
</li>
<li>
<b>7.5.2</b> - <a
href="https://snyk.io/redirect/github/npm/node-semver/releases/tag/v7.5.2">2023-06-15</a></br><h2><a
href="https://snyk.io/redirect/github/npm/node-semver/compare/v7.5.1...v7.5.2">7.5.2</a>
(2023-06-15)</h2>
<h3>Bug Fixes</h3>
<ul>
<li><a
href="https://snyk.io/redirect/github/npm/node-semver/commit/58c791f40ba8cf4be35a5ca6644353ecd6249edc"><code>58c791f</code></a>
<a href="https://snyk.io/redirect/github/npm/node-semver/pull/566"
data-hovercard-type="pull_request"
data-hovercard-url="/npm/node-semver/pull/566/hovercard">#566</a> diff
when detecting major change from prerelease (<a class="issue-link
js-issue-link" data-error-text="Failed to load title"
data-id="1759184862" data-permission-text="Title is private"
data-url="npm/node-semver#566"
data-hovercard-type="pull_request"
data-hovercard-url="/npm/node-semver/pull/566/hovercard"
href="https://snyk.io/redirect/github/npm/node-semver/pull/566">#566</a>)
(<a class="user-mention notranslate" data-hovercard-type="user"
data-hovercard-url="/users/lukekarrys/hovercard"
data-octo-click="hovercard-link-click"
data-octo-dimensions="link_type:self"
href="https://snyk.io/redirect/github/lukekarrys">@ lukekarrys</a>)</li>
<li><a
href="https://snyk.io/redirect/github/npm/node-semver/commit/5c8efbcb3c6c125af10746d054faff13e8c33fbd"><code>5c8efbc</code></a>
<a href="https://snyk.io/redirect/github/npm/node-semver/pull/565"
data-hovercard-type="pull_request"
data-hovercard-url="/npm/node-semver/pull/565/hovercard">#565</a>
preserve build in raw after inc (<a class="issue-link js-issue-link"
data-error-text="Failed to load title" data-id="1758105410"
data-permission-text="Title is private"
data-url="npm/node-semver#565"
data-hovercard-type="pull_request"
data-hovercard-url="/npm/node-semver/pull/565/hovercard"
href="https://snyk.io/redirect/github/npm/node-semver/pull/565">#565</a>)
(<a class="user-mention notranslate" data-hovercard-type="user"
data-hovercard-url="/users/lukekarrys/hovercard"
data-octo-click="hovercard-link-click"
data-octo-dimensions="link_type:self"
href="https://snyk.io/redirect/github/lukekarrys">@ lukekarrys</a>)</li>
<li><a
href="https://snyk.io/redirect/github/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441"><code>717534e</code></a>
<a href="https://snyk.io/redirect/github/npm/node-semver/pull/564"
data-hovercard-type="pull_request"
data-hovercard-url="/npm/node-semver/pull/564/hovercard">#564</a> better
handling of whitespace (<a class="issue-link js-issue-link"
data-error-text="Failed to load title" data-id="1757995222"
data-permission-text="Title is private"
data-url="npm/node-semver#564"
data-hovercard-type="pull_request"
data-hovercard-url="/npm/node-semver/pull/564/hovercard"
href="https://snyk.io/redirect/github/npm/node-semver/pull/564">#564</a>)
(<a class="user-mention notranslate" data-hovercard-type="user"
data-hovercard-url="/users/lukekarrys/hovercard"
data-octo-click="hovercard-link-click"
data-octo-dimensions="link_type:self"
href="https://snyk.io/redirect/github/lukekarrys">@ lukekarrys</a>)</li>
</ul>
</li>
</ul>
from <a
href="https://snyk.io/redirect/github/npm/node-semver/releases">semver
GitHub release notes</a>
</details>
</details>
<details>
<summary><b>Commit messages</b></summary>
</br>
<details>
<summary>Package name: <b>semver</b></summary>
<ul>
<li><a
href="https://snyk.io/redirect/github/npm/node-semver/commit/7fdf1ef223826b428d7f8aaf906e9eeefa9469f9">7fdf1ef</a>
chore: release 7.5.3</li>
<li><a
href="https://snyk.io/redirect/github/npm/node-semver/commit/bf53dd8da15a17eb6b8111115d0d8ef341fea5db">bf53dd8</a>
docs: add example for `>` comparator (#569)</li>
<li><a
href="https://snyk.io/redirect/github/npm/node-semver/commit/abdd93d55496d22e3c15a454a5cf13f101e48bce">abdd93d</a>
fix: set max lengths in regex for numeric and build identifiers
(#571)</li>
</ul>
<a
href="https://snyk.io/redirect/github/npm/node-semver/compare/e7b78de06eb14a7fa2075cedf9f167040d8d31af...7fdf1ef223826b428d7f8aaf906e9eeefa9469f9">Compare</a>
</details>
</details>
<hr/>
**Note:** *You are seeing this because you or someone else with access
to this repository has authorized Snyk to open upgrade PRs.*
For more information: <img
src="https://api.segment.io/v1/pixel/track?data=eyJ3cml0ZUtleSI6InJyWmxZcEdHY2RyTHZsb0lYd0dUcVg4WkFRTnNCOUEwIiwiYW5vbnltb3VzSWQiOiJiMWEyMTY5MS04NWI3LTQ1MjMtOWM5ZS1hYjU3OTdjOWFkZDciLCJldmVudCI6IlBSIHZpZXdlZCIsInByb3BlcnRpZXMiOnsicHJJZCI6ImIxYTIxNjkxLTg1YjctNDUyMy05YzllLWFiNTc5N2M5YWRkNyJ9fQ=="
width="0" height="0"/>
🧐 [View latest project
report](https://app.snyk.io/org/manuelfidalgo/project/1e476a2c-f968-4574-8a48-a93a0982eecc?utm_source=github&utm_medium=referral&page=upgrade-pr)
🛠 [Adjust upgrade PR
settings](https://app.snyk.io/org/manuelfidalgo/project/1e476a2c-f968-4574-8a48-a93a0982eecc/settings/integration?utm_source=github&utm_medium=referral&page=upgrade-pr)
🔕 [Ignore this dependency or unsubscribe from future upgrade
PRs](https://app.snyk.io/org/manuelfidalgo/project/1e476a2c-f968-4574-8a48-a93a0982eecc/settings/integration?pkg=semver&utm_source=github&utm_medium=referral&page=upgrade-pr#auto-dep-upgrades)
<!---
(snyk:metadata:{"prId":"b1a21691-85b7-4523-9c9e-ab5797c9add7","prPublicId":"b1a21691-85b7-4523-9c9e-ab5797c9add7","dependencies":[{"name":"semver","from":"7.5.2","to":"7.5.3"}],"packageManager":"npm","type":"auto","projectUrl":"https://app.snyk.io/org/manuelfidalgo/project/1e476a2c-f968-4574-8a48-a93a0982eecc?utm_source=github&utm_medium=referral&page=upgrade-pr","projectPublicId":"1e476a2c-f968-4574-8a48-a93a0982eecc","env":"prod","prType":"upgrade","vulns":[],"issuesToFix":[],"upgrade":[],"upgradeInfo":{"versionsDiff":1,"publishedDate":"2023-06-22T21:53:19.774Z"},"templateVariants":[],"hasFixes":false,"isMajorUpgrade":false,"isBreakingChange":false,"priorityScoreList":[]})
--->
Co-authored-by: snyk-bot <snyk-bot@snyk.io>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.