fix: upgrade to the latest version of sane to remove vulnerability in merge v1.2.0 #7322
Conversation
Upgrade to the latest version of sane to remove vulnerability in merge v1.2.0
|
Thank you for your pull request and welcome to our community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. In order for us to review and merge your code, please sign up at https://code.facebook.com/cla. If you are contributing on behalf of someone else (eg your employer), the individual CLA may not be sufficient and your employer may need the corporate CLA signed. If you have received this in error or have any questions, please contact us at [email protected]. Thanks! |
|
Thank you for signing our Contributor License Agreement. We can now accept your code for this (and any) Facebook open source project. Thanks! |
|
This is a breaking change for Jest. I never got an answer in amasad/sane#130, would love to understand the change made there |
|
/cc @amasad @stefanpenner |
|
Sorry, I was under the impression that jest forked/inlined sane. Can't find it now but remember an issue or a PR about it. Anyways, I might be mistaken, so I apologize. @stefanpenner are you open to bringing back fs-events? |
|
@amasad we could, although it is a hazard for our users. I would much prefer the following: allow If that sounds reasonable, I will gladly implement what is needed. Thoughts? |
|
SGTM!
…On Fri, Nov 2, 2018, 5:40 PM Stefan Penner ***@***.***> wrote:
@amasad <https://github.com/amasad> we could, although it is a hazard for
our users. I would much prefer the following:
allow jest to provide fs-events to sane, rather then sane providing it.
That way, by default sane does not introduce native dependencies, but those
who would prefer to utilize it with can provide it.
If that sounds reasonable, I will gladly implement what is needed.
Thoughts?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#7322 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AAj2_jSaWuVPc0FkWylvExeiw3slmTr0ks5urOYUgaJpZM4YLGbU>
.
|
|
Can this be prioritised ? |
|
Updating in Jest master won't help your alerts as we are currently working on our next major, and have landed a bunch of breaking changes that will make it harder to release a patch. If sane could release a patch for v3, that would be the quickest, as it'd be within semver range for Jest's dependency. If that's impossible, we'll have to do some juggling with branches on our side |
|
In my project an |
|
@stefanpenner any news here? 🙂 |
There's a security vulnerability in a sub-dependency of jest: jestjs/jest#7322 Relocking fixed that. But the emotion serializer then gave a bit different results, and I noticed I was still on a beta there, so I bumped that to the latest and re-snapshotted everything.
|
This pull request has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Summary
Upgrade to the latest version of sane to remove vulnerability in merge v1.2.0
And this would upgrade exec-sh to v0.3.2, which removes insecure merge package (CVE-2018-16469)
close #7318
sane project reference 4.0.2 here amasad/sane#132
Test plan