[Snyk] Fix for 3 vulnerabilities#43
Open
Mapuppy09 wants to merge 868 commits intofritzy/linked-install2from
Open
[Snyk] Fix for 3 vulnerabilities#43Mapuppy09 wants to merge 868 commits intofritzy/linked-install2from
Mapuppy09 wants to merge 868 commits intofritzy/linked-install2from
Conversation
deps: init-package-json@6.0.2 deps: promzard@1.0.1
The ISO 8601 references is broken broken due to `"` appended at the end.
…ier (npm#7346) There are a bunch of places were we load `semver`, I'm trying to see if I can remove the full import for `semver` and only import the specific functions. Currently, I didn't have any perf improvement since we still load the entire `semver`, once we have removed all the package loads, then we could see some improvement (a little bit).
This PR addresses an issue where CLI flags were not taking precedence over publishConfig settings. To ensure CLI flags have higher priority, properties from the publishConfig object that also exist in CLI flags are filtered out. Related to npm#6400
 This package takes 5ms to load even if we didn't use it.
Lazy loading `workspaces` and `glob` dependencies, will avoid loading the dependency when running inside a repo that is not a workspace and also will not load `glob` when is not needed. Before:  After: 
…pm#7360) If we didn't load `glob`, we can save up to `6ms` by lazy loading this module.
This adds some lazy loading, inlines some single use functions, and also removes the "define" function in the definitions file. That was guarding against something that isn't worth the runtime to check for.
I missed these calls when first moving to `@npmcli/redact`. This isn't a performance specific PR but I assume it will help since there are now a few places where we no longer need to require `npm-registry-fetch` at all.
…npm#7582) Small doc fix. Reviewing the section on `funding` on docs.npmjs.com, I noticed some odd code-block formatting, as well as some opportunities to clarify. The current weirdness:  Glad to see string-or-object worked out.
…bally (npm#7587) When multiple version of the same package is exist globally either at top level or at any level as a sub dependency, even though the version specified does not exist at top level it was running top level bin since it matches the bin name. This fixes checks for depth of the found node along with already existing specs checks. Fixes: npm#7486
- closes npm#7614 ## Issue Examples in the [repository](https://docs.npmjs.com/cli/v10/configuring-npm/package-json#repository) section of the [npm CI > Configuring npm > package.json](https://docs.npmjs.com/cli/v10/configuring-npm/package-json) reference page use the protocol `https`. The examples are: ```json "url": "https://github.com/npm/cli.git" ``` ```json "url": "https://github.com/facebook/react.git" ``` Executing `npm pkg fix` in a repo with a `url` definition and `protocol` using `https` normalizes the protocol to `git+https`. Examples should be aligned with what `npm pkg fix` considers correct and should also be aligned to the list of valid protocols in the [Git URLs as Dependencies](https://docs.npmjs.com/cli/v10/configuring-npm/package-json#git-urls-as-dependencies) section, which states: > `<protocol>` is one of `git`, `git+ssh`, `git+http`, `git+https`, or `git+file`. ## Change 1. `npm/cli.git` Change to ```json "url": "git+https://github.com/npm/cli.git" ``` 2. `facebook/react.git` Since the source example of https://github.com/facebook/react/blob/main/packages/react-dom/package.json does not use the correct `git+https` protocol, use instead ```json "url": "git+https://github.com/npm/cli.git", "directory": "workspaces/libnpmpublish" ```
…pm#7602) When metadata is committed for the first time when there is no package-lock, when target node has the same name field value as target package name and link node also share the same name field, name field is omitted from lock file, in subsequent times when there is already a lock file, it reads target node with name field derived from realpath value of the node and included in lock file. this creates mismatch of lock file between installs. This PR adds additional condition to check if name derived from realpath is the same name as package and adds the name property. Fixes: npm#7166
It has historically not worked very consistently and we don't have the bandwidth to keep fixing it.
…npm#7579) <!-- What / Why --> If a node represents a symbolic link or a file dep (node.isLink is true), its target is expected to reference another node in the dependency tree. If the linking is not done correctly or is incomplete, node.target might be null. <!-- Describe the request in detail. What it does and why it's being changed. --> in this PR, a null check is added to ensure node.target is not null or before proceeding, which will prevent causing errors like: `npm error Cannot set properties of null (setting 'peer')` ## References Related to npm#7065, Fixes npm#6622, npm#5007, Closes npm#6622, npm#5007
This change solves npm#4783 <!-- What / Why --> <!-- Describe the request in detail. What it does and why it's being changed. --> During 'npm cache verify', currently all the cache files are open at the same time, which will bring EMFILE error in an environment that limit max open files. This change limits the concurrent open files in garbageCollect() with p-map module to avoid this problem. ## References Fixes npm#4783
…#7640) Handle arborist error when loading and checking package in global tree.
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-CROSSSPAWN-8303230 - https://snyk.io/vuln/SNYK-JS-GLOB-14040952 - https://snyk.io/vuln/SNYK-JS-BRACEEXPANSION-9789073
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-CROSSSPAWN-8303230 - https://snyk.io/vuln/SNYK-JS-GLOB-14040952 - https://snyk.io/vuln/SNYK-JS-BRACEEXPANSION-9789073
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Snyk has created this PR to fix 3 vulnerabilities in the npm dependencies of this project.
Snyk changed the following file(s):
package.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-CROSSSPAWN-8303230
SNYK-JS-GLOB-14040952
SNYK-JS-BRACEEXPANSION-9789073
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Command Injection