Security: colors library #489
Assignees
Labels
Comments
|
Discuss adding our |
plocket
added a commit
to SuffolkLITLab/docassemble-AssemblyLine
that referenced
this issue
Jan 10, 2022
plocket
added a commit
to SuffolkLITLab/docassemble-MA209AProtectiveOrder
that referenced
this issue
Jan 10, 2022
This will be holding a reference to an old version of the `colors` npm package. See SuffolkLITLab/ALKiln#489.
plocket
added a commit
to SuffolkLITLab/docassemble-MA209AProtectiveOrder
that referenced
this issue
Jan 10, 2022
plocket
added a commit
to SuffolkLITLab/docassemble-209aPlaintiffMotionToModify
that referenced
this issue
Jan 10, 2022
This will be holding a reference to an old version of the `colors` npm package. See SuffolkLITLab/ALKiln#489.
plocket
added a commit
to SuffolkLITLab/docassemble-209aPlaintiffMotionToModify
that referenced
this issue
Jan 10, 2022
|
I think the ones that are failing are now failing because of the bootstrap update to the dev server. They need to be updated to v3 of kiln. Is that worth it, or should we wait till v4? It may be a couple weeks yet. React with 👍 for v3. React with 😄 for v4. [Decision: We'll take care of this first, then move forward as we can to scope the update to v3 and go from there. |
plocket
added a commit
to MassLegalHelp/docassemble-HelpForChildSupportObligors
that referenced
this issue
Jan 10, 2022
This was referenced Jan 10, 2022
Merged
|
We may also want to set up scheduled tests with our own repository (after deleting package-lock.json) in case we have periods of low development frequency. Does that sound reasonable? What kind of schedule? Once a day/week/month? |
plocket
added a commit
to GBLS/docassemble-MAEvictionDefense
that referenced
this issue
Jan 10, 2022
plocket
added a commit
to GBLS/docassemble-MAEvictionDefense
that referenced
this issue
Jan 10, 2022
See SuffolkLITLab/ALKiln#489. Tests are probably failng because of the server boostrap update. We need to update this repo to v3 of alkiln or to wait till v4 and then update to v4.
plocket
added a commit
to SuffolkLITLab/docassemble-AssemblyLine
that referenced
this issue
Jan 10, 2022
plocket
added a commit
to SuffolkLITLab/docassemble-209aPlaintiffMotionToModify
that referenced
this issue
Jan 10, 2022
* Delete package-lock.json This will be holding a reference to an old version of the `colors` npm package. See SuffolkLITLab/ALKiln#489. * For kiln, pin version of `colors` npm package See SuffolkLITLab/ALKiln#489.
plocket
added a commit
to MassLegalHelp/docassemble-HelpForChildSupportObligors
that referenced
this issue
Jan 10, 2022
plocket
added a commit
to GBLS/docassemble-MAEvictionDefense
that referenced
this issue
Jan 10, 2022
See SuffolkLITLab/ALKiln#489. Tests are probably failng because of the server boostrap update. We need to update this repo to v3 of alkiln or to wait till v4 and then update to v4.
|
These are ones I didn't list above because they are for testing and not as urgent. Should still get to them at some point: |
plocket
added a commit
to SuffolkLITLab/docassemble-MAVirtualCourt
that referenced
this issue
Jan 10, 2022
plocket
added a commit
to SuffolkLITLab/docassemble-MAVirtualCourt
that referenced
this issue
Jan 10, 2022
* Delete package-lock.json To pin colors package in alkiln * For kiln tests, pin version of `colors` package See SuffolkLITLab/ALKiln#489.
|
If anyone needs to keep their package-lock.json, this other package is a possible solution: https://www.npmjs.com/package/npm-force-resolutions. It lets you put something in your package.json that overrides package-lock.json. |
|
All necessary dependents have been handled. |
plocket
added a commit
that referenced
this issue
Feb 8, 2022
plocket
added a commit
that referenced
this issue
Feb 17, 2022
I'm thinking this is just going to be for v4. Not bothering with this for v3 unless we absolutely have to since none of the vulnerabilities are severe. My current rationale is that the more work we do to maintain 3, the less work we can do getting v4 ready for release. Ready to hear opinions. - Close #164, update cucumber to v7 - Prepare for v8 of cucumber because I won't remember it later - Close #394, update puppeteer - Update our version of node (and that of our action that we'll run for other people's libs). [Addresses #393 so we can use the suffolk npm org package.] - Use `npm audit` to fix the remaining vulnerabilities (now 0) - [Remove package.json as discussed in #489 to align our tests' behaviors with those of our users.] * Update action.yml node to v17 * Update from cucumber v6 to v7. See details. See https://github.com/cucumber/cucumber-js/blob/main/docs/migration.md#migrating-to-cucumber-js-7xx Only use cucumber setDefaultTimeout globally and use a shim that replicates the fix in v8 that lets you do custom timeouts more easily so we can still give enough time for steps that may need more time. Use all caps for statuses. Test screenshot step. Btw, the cucumber test output visually looks a bit different now - when a scenario passes, all the steps pass too. Sorry about the little comment changes, etc. Tried to remove a lot of those incidental unrelated changes. * Update puppeteer to latest (13). See details below. - page.waitFor -> page.waitForTimeout and page.waitForSelector (Got deprication notice. See puppeteer/puppeteer#6214.) - remove removeEventListener (we'd need to change it to removeListener anyway - v4.0.0 and see https://github.com/puppeteer/puppeteer/blob/main/docs/api.md#eventemitterremovelistenerevent-handler). For now we'll count on page close taking care of it, just in case removing it would prevent multiple-file-downloads. * Update GitHub worflow node version, tweak changelog item order * Fix npm audit vulnerabilities and update action.yml cucumber * Pin the colors lib in action.yml * Remove package-lock.json #489, use kiln v4 for users, CHANGELOG * Fix custom timeout, remove duplicate report entry, as per review
plocket
added a commit
that referenced
this issue
Mar 2, 2022
Created log.txt and git hub artifact for reports. Closes #466. * add log.txt for report messages * create artifact for logs * Update changelog * Update our package's dependencies for v4 (#503) I'm thinking this is just going to be for v4. Not bothering with this for v3 unless we absolutely have to since none of the vulnerabilities are severe. My current rationale is that the more work we do to maintain 3, the less work we can do getting v4 ready for release. Ready to hear opinions. - Close #164, update cucumber to v7 - Prepare for v8 of cucumber because I won't remember it later - Close #394, update puppeteer - Update our version of node (and that of our action that we'll run for other people's libs). [Addresses #393 so we can use the suffolk npm org package.] - Use `npm audit` to fix the remaining vulnerabilities (now 0) - [Remove package.json as discussed in #489 to align our tests' behaviors with those of our users.] * Update action.yml node to v17 * Update from cucumber v6 to v7. See details. See https://github.com/cucumber/cucumber-js/blob/main/docs/migration.md#migrating-to-cucumber-js-7xx Only use cucumber setDefaultTimeout globally and use a shim that replicates the fix in v8 that lets you do custom timeouts more easily so we can still give enough time for steps that may need more time. Use all caps for statuses. Test screenshot step. Btw, the cucumber test output visually looks a bit different now - when a scenario passes, all the steps pass too. Sorry about the little comment changes, etc. Tried to remove a lot of those incidental unrelated changes. * Update puppeteer to latest (13). See details below. - page.waitFor -> page.waitForTimeout and page.waitForSelector (Got deprication notice. See puppeteer/puppeteer#6214.) - remove removeEventListener (we'd need to change it to removeListener anyway - v4.0.0 and see https://github.com/puppeteer/puppeteer/blob/main/docs/api.md#eventemitterremovelistenerevent-handler). For now we'll count on page close taking care of it, just in case removing it would prevent multiple-file-downloads. * Update GitHub worflow node version, tweak changelog item order * Fix npm audit vulnerabilities and update action.yml cucumber * Pin the colors lib in action.yml * Remove package-lock.json #489, use kiln v4 for users, CHANGELOG * Fix custom timeout, remove duplicate report entry, as per review * Allow a developer to wait as a first Step v4. #387. Add test. (#506) Closes #387. Also, generally adds safety measures for when page does not exist. Very similar to PR #459, but moving the responsibility down to a spot that most functions make use of, meaning that it'll be applied to a lot more cases. They mostly won't need it, but it might still be worth being more comprehensive. * Allow a developer to wait as a first Step v4. #387. Add test. Will be able to close once we've added this as an establishing step (in addition to it being a regular step). Also, generally adds safety measures for when page does not exist. * Add test Co-authored-by: Bryce Willey <[email protected]> Co-authored-by: Bryce Willey <[email protected]> * add log to gitnore and cleanup console.logs and typos * add empty string to file Co-authored-by: plocket <[email protected]> Co-authored-by: Bryce Willey <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
See https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/. Repos using ALKiln out there all have a package.json of their own and thus necessarily require cucumber itself in their package.json.
All dependents need to add a line in their package.json "dependencies" property:
We can see our dependents at https://github.com/SuffolkLITLab/ALKiln/network/dependents?package_id=UGFja2FnZS0xNDkzMjYzODcy
We also need to deprecate all previous versions of ALKiln.
that we still need to list:https://github.com/search?l=JSON&p=1&q=org%3ASuffolkLITLab+npm&type=Code. Thanks @BryceStevenWilley.The text was updated successfully, but these errors were encountered: