Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix opinionator #333

Merged
merged 9 commits into from
Aug 3, 2023
Merged

Fix opinionator #333

merged 9 commits into from
Aug 3, 2023

Conversation

josephjclark
Copy link
Collaborator

@josephjclark josephjclark commented Aug 3, 2023

We've had a security alert from a low level dependency (word-wrap), which comes out of optionator.

The vulnerability affects two packages: salesforce and mailgun.

Salesforce is actually a red herring because it only affects a dev dependency, which I have corrected here (and has since been fixed on main). I've also removed yargs from salesforce deps as its unneeded.

For mailgun I have overridden the version of optionator. If you install mailgun now and run npm why optionator, you can see that the version is correctly overridden:

image

Note that adding the override in the monorepo root (via pnpm) doesn't actually affect the built packages (disappointing but on reflection perhaps not surprising). So we have to do it in the adaptor itself.

This is a good workaround until we properly update the mailgun package.

Note that this is based on the pnpm bump branch.

Closes #330 (and the associated vulnerabilities)

@josephjclark
Copy link
Collaborator Author

@mtuchi I've just rebased this on top of the other changes

Copy link
Collaborator

@mtuchi mtuchi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the changes in salesforce/package.json reverts back what was done in this PR #337

We should remove them since they are already done

packages/salesforce/package.json Outdated Show resolved Hide resolved
packages/salesforce/package.json Outdated Show resolved Hide resolved
packages/salesforce/package.json Outdated Show resolved Hide resolved
@josephjclark
Copy link
Collaborator Author

Thanks for being vigilant @mtuchi !

I've checked out the package.json from main and removed yargs. It should be up to date now.

@mtuchi
Copy link
Collaborator

mtuchi commented Aug 3, 2023

This looks good now, i am going to merge it

@mtuchi mtuchi merged commit 8a902a6 into main Aug 3, 2023
1 check passed
@mtuchi mtuchi deleted the fix-opinionator branch August 3, 2023 15:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Pin version of opinionator
2 participants