deps(git): update git-url-parse
#4635
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
➤ YN0000: │ No packages can be deduped using the highest strategy ➤ YN0000: └ Completed in 0s 264ms ➤ YN0000: ┌ Resolution step ➤ YN0002: │ @endemolshinegroup/cosmiconfig-typescript-loader@npm:3.0.2 [714f3] doesn't provide typescript (p88d18), requested by ts-node ➤ YN0002: │ @yarnpkg/gatsby@workspace:packages/gatsby doesn't provide @emotion/core (pa19bb), requested by gatsby-plugin-mdx ➤ YN0002: │ @yarnpkg/gatsby@workspace:packages/gatsby doesn't provide webpack (pe1aa2), requested by gatsby-plugin-favicon ➤ YN0060: │ @yarnpkg/monorepo@workspace:. provides eslint (pf82c3) with version 8.2.0, which doesn't satisfy what @yarnpkg/eslint-config and some of its descendants request ➤ YN0002: │ acceptance-tests@workspace:packages/acceptance-tests doesn't provide jest (pcc8ab), requested by jest-json ➤ YN0002: │ gatsby-cli@npm:3.14.0 [7243a] doesn't provide ink (p4a7fc), requested by gatsby-recipes ➤ YN0060: │ gatsby-recipes@npm:0.25.0 [bb88b] provides graphql (pc0633) with version 15.5.0, which doesn't satisfy what graphql-subscriptions requests ➤ YN0002: │ gatsby@npm:3.14.0 [118b2] doesn't provide babel-eslint (p70342), requested by eslint-config-react-app ➤ YN0002: │ react-instantsearch-dom@npm:6.6.0 [118b2] doesn't provide algoliasearch (p65251), requested by algoliasearch-helper ➤ YN0002: │ react-instantsearch-dom@npm:6.6.0 [118b2] doesn't provide algoliasearch (p5ab0d), requested by react-instantsearch-core ➤ YN0000: │ Some peer dependencies are incorrectly met; run yarn explain peer-requirements <hash> for details, where <hash> is the six-letter p-prefixed code ➤ YN0000: └ Completed in 0s 442ms ➤ YN0000: ┌ Fetch step ➤ YN0000: └ Completed in 0s 869ms ➤ YN0000: ┌ Link step ➤ YN0005: │ core-js@npm:2.6.11 lists build scripts, but its build has been explicitly disabled through configuration. ➤ YN0005: │ core-js@npm:3.18.0 lists build scripts, but its build has been explicitly disabled through configuration. ➤ YN0005: │ gatsby-telemetry@npm:2.14.0 lists build scripts, but its build has been explicitly disabled through configuration. ➤ YN0005: │ gatsby@npm:3.14.0 [118b2] lists build scripts, but its build has been explicitly disabled through configuration. ➤ YN0005: │ core-js-pure@npm:3.21.1 lists build scripts, but its build has been explicitly disabled through configuration. ➤ YN0005: │ gatsby-cli@npm:3.14.0 [7243a] lists build scripts, but its build has been explicitly disabled through configuration. ➤ YN0005: │ fsevents@patch:fsevents@npm%3A1.2.13#optional!builtin<compat/fsevents>::version=1.2.13&hash=18f3a7 lists build scripts, but its build has been explicitly disabled through configuration. ➤ YN0000: └ Completed in 0s 383ms ➤ YN0000: Done with warnings in 2s 112ms
dkhaye
changed the title
parse-path to avoid Authorization Bypass vulnerabilityparse-path to avoid Authorization Bypass vulnerability
dkhaye
changed the title
parse-path to avoid Authorization Bypass vulnerabilityparse-path to avoid Authorization Bypass vulnerability
merceyz
changed the title
parse-path to avoid Authorization Bypass vulnerabilitygit-url-parse
merceyz
requested changes
Jul 18, 2022
There was a problem hiding this comment.
Looks like that version is a bit buggy so I'll put this on hold for now.
|
Based on the result of IonicaBizau/parse-url#46, it seems like It seems like we are only using httpUtils.getNetworkSettings(`https://${GitUrlParse(normalizedRepoUrl).resource}`, {configuration})Maybe we can remove our dependency on this package completely, since we are already doing URL normalization in |
|
I added a couple of test cases locally in it(`should properly normalize ${pattern} ({ git: false })`, () => {
expect(gitUtils.normalizeRepoUrl(pattern)).toMatchSnapshot();
+ expect(GitUrlParse(gitUtils.normalizeRepoUrl(pattern)).resource).toMatchSnapshot();
});
it(`should properly normalize ${pattern} ({ git: true })`, () => {
expect(gitUtils.normalizeRepoUrl(pattern, {git: true})).toMatchSnapshot();
+ expect(GitUrlParse(gitUtils.normalizeRepoUrl(pattern, {git: true})).resource).toMatchSnapshot();
});The snapshots are the same between |
|
The reported change in behavior in |
@merceyz Can you look at this again? As indicated by @mhassan1 here, the issue was closed as not being a problem. For good measure, I went ahead and updated to the latest, 13.1.0. |
|
@dkhaye It looks like there are conflicts now. |
|
@dkhaye It looks like there are conflicts again. |
|
Sorry for the delay, the tests pass so I think we can merge it. Note however that as a general policy, I tend to avoid auto-updating dependencies on this repository unless they actually fix something in Yarn (under the premise that blind upgrades are just as risky if not more, as we bring untested and often unneeded new code). The issue reported in #4623 isn't attached to an actual exploitation showcase against Yarn, so upgrading Still, I appreciate you taking time to address an open ticket! |
merceyz
added a commit
that referenced
this pull request
Nov 8, 2022
* checkpoint * add version info * run ➤ YN0000: ┌ Deduplication step ➤ YN0000: │ No packages can be deduped using the highest strategy ➤ YN0000: └ Completed in 0s 264ms ➤ YN0000: ┌ Resolution step ➤ YN0002: │ @endemolshinegroup/cosmiconfig-typescript-loader@npm:3.0.2 [714f3] doesn't provide typescript (p88d18), requested by ts-node ➤ YN0002: │ @yarnpkg/gatsby@workspace:packages/gatsby doesn't provide @emotion/core (pa19bb), requested by gatsby-plugin-mdx ➤ YN0002: │ @yarnpkg/gatsby@workspace:packages/gatsby doesn't provide webpack (pe1aa2), requested by gatsby-plugin-favicon ➤ YN0060: │ @yarnpkg/monorepo@workspace:. provides eslint (pf82c3) with version 8.2.0, which doesn't satisfy what @yarnpkg/eslint-config and some of its descendants request ➤ YN0002: │ acceptance-tests@workspace:packages/acceptance-tests doesn't provide jest (pcc8ab), requested by jest-json ➤ YN0002: │ gatsby-cli@npm:3.14.0 [7243a] doesn't provide ink (p4a7fc), requested by gatsby-recipes ➤ YN0060: │ gatsby-recipes@npm:0.25.0 [bb88b] provides graphql (pc0633) with version 15.5.0, which doesn't satisfy what graphql-subscriptions requests ➤ YN0002: │ gatsby@npm:3.14.0 [118b2] doesn't provide babel-eslint (p70342), requested by eslint-config-react-app ➤ YN0002: │ react-instantsearch-dom@npm:6.6.0 [118b2] doesn't provide algoliasearch (p65251), requested by algoliasearch-helper ➤ YN0002: │ react-instantsearch-dom@npm:6.6.0 [118b2] doesn't provide algoliasearch (p5ab0d), requested by react-instantsearch-core ➤ YN0000: │ Some peer dependencies are incorrectly met; run yarn explain peer-requirements <hash> for details, where <hash> is the six-letter p-prefixed code ➤ YN0000: └ Completed in 0s 442ms ➤ YN0000: ┌ Fetch step ➤ YN0000: └ Completed in 0s 869ms ➤ YN0000: ┌ Link step ➤ YN0005: │ core-js@npm:2.6.11 lists build scripts, but its build has been explicitly disabled through configuration. ➤ YN0005: │ core-js@npm:3.18.0 lists build scripts, but its build has been explicitly disabled through configuration. ➤ YN0005: │ gatsby-telemetry@npm:2.14.0 lists build scripts, but its build has been explicitly disabled through configuration. ➤ YN0005: │ gatsby@npm:3.14.0 [118b2] lists build scripts, but its build has been explicitly disabled through configuration. ➤ YN0005: │ core-js-pure@npm:3.21.1 lists build scripts, but its build has been explicitly disabled through configuration. ➤ YN0005: │ gatsby-cli@npm:3.14.0 [7243a] lists build scripts, but its build has been explicitly disabled through configuration. ➤ YN0005: │ fsevents@patch:fsevents@npm%3A1.2.13#optional!builtin<compat/fsevents>::version=1.2.13&hash=18f3a7 lists build scripts, but its build has been explicitly disabled through configuration. ➤ YN0000: └ Completed in 0s 383ms ➤ YN0000: Done with warnings in 2s 112ms * chore: change release type * fix .pnp.cjs * upgrade git-url-parse to 13.1.0 * add missing .yarn/ files * run yarn dedupe * run 'yarn dedupe' Co-authored-by: merceyz <merceyz@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What's the problem this PR addresses?
Resolves #4623
...
How did you fix it?
Upgrade to
git-url-parse@^12.0.0within@yarnpkg/plugin-git...
Checklist