Comments (9)
@wraithgar Thanks a ton for this fix. Is it possible to also update the ssri
dependency in 12.x
of this project? For Webpack 4 support.
from cacache.
@wraithgar Strapi also depends on [email protected]
. Is it possible to port this fix for v12? Thanks.
from cacache.
Since terser-webpack-plugin
for webpack v4
depends on 12.x
it would be great if 12
could be patched
from cacache.
+1 for adding this patch into v12
from cacache.
@Zajn Thanks for opening that PR. I spun it up locally but am also getting failing tests.
In the terser-webpack-plugin
repo, @WayneEllery made a great point here about Node-version compatibility. [email protected]
removes support for Node versions below 8. The package.json
of [email protected]
doesn't have an engines
field, so I assume it supports all Node versions. Thus, bumping to [email protected]
for v12
of this project could constitute a breaking change.
Something else I'm wondering about: According to the vulnerability report, "this issue only affects consumers using the strict option." Does v12
of this project even use the strict option? I did a quick browse thru v12
of the code base, and this line is the only thing that jumps out at me.
Finally, I started an issue in the ssri
repo asking about protocol for porting the security fix into v6
of that package.
from cacache.
FYI ssri v6.0.2 released.
npm/ssri#18 (comment)
from cacache.
this module has been updated and the next cli release will include this change
from cacache.
I attempted to backport the bump to v12 and opened a PR, but all the tests that passed for me locally failed in CI. I'm not intimately familiar with node development, so maybe someone more knowledgeable would be able to help me get that in a passing state.
from cacache.
Thus, bumping to
[email protected]
forv12
of this project could constitute a breaking change.
Does
v12
of this project even use the strict option? I did a quick browse thruv12
of the code base, and this line is the only thing that jumps out at me.
@AndrewGibson27 Both good points. I don't know enough about the project to definitively say yes or no to the usage of strict
, but it doesn't appear to me that any of the usages of ssri
here do.
I've never done any Node development, so I may have run the tests improperly which gave me a passing result. Locally, I just installed dependencies via npm install
and then ran npm test
.
Finally, I started an issue in the
ssri
repo asking about protocol for porting the security fix intov6
of that package.
Thanks for doing that!
from cacache.
Related Issues (20)
- [BUG] TypeError: buckets.map is not a function => app crash HOT 3
- [Feature] Async iterator over ls.stream HOT 2
- какаш 😂🤣
- [BUG] cacache ignores npm cache config HOT 2
- [ISSUE] Explain to me why this is a stupid use of cacache (storing simple key/value pairs with a simplified cacache interface) HOT 4
- [BUG] cacache doesn't work on Android HOT 7
- [BUG] `rm.all` doesn't delete anything on Windows HOT 3
- [QUESTION] Get info by integrity? HOT 1
- [BUG] @npmcli/move-file is dilicated HOT 1
- [BUG] put.stream can crash the process with unhandled exception, even when error handler is attached
- [Vulnerability] [email protected] dependency [email protected] contains memory leak HOT 1
- [FEATURE] custom integrity method / digest algorithm (xxhash) HOT 1
- [BUG] EMFILE error in environment with low file descriptors limit HOT 3
- CVE-2020-7774 HOT 1
- [BUG] Put failed due to TypeError: Data must be a string or a buffer
- [FEATURE] implement reference counting HOT 1
- [BUG] calling verify() should not modify the time property
- Could you help remove the vulnerability in your package? HOT 1
- [BUG] cacache package depends on vulnerable version of tar HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cacache.