Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

deps(git): update git-url-parse #4635

Merged
merged 12 commits into from
Nov 8, 2022
Merged

deps(git): update git-url-parse #4635

merged 12 commits into from
Nov 8, 2022

Conversation

dkhaye
Copy link
Contributor

@dkhaye dkhaye commented Jul 18, 2022

What's the problem this PR addresses?
Resolves #4623

...

How did you fix it?
Upgrade to git-url-parse@^12.0.0 within @yarnpkg/plugin-git

...

Checklist

  • I have set the packages that need to be released for my changes to be effective.
  • I will check that all automated PR checks pass before the PR gets reviewed.

@dkhaye
checkpoint
6ce50fb
@dkhaye
add version info
5196afd
@dkhaye
run ➤ YN0000: ┌ Deduplication step
305cab7 
➤ YN0000: │ No packages can be deduped using the highest strategy
➤ YN0000: └ Completed in 0s 264ms
➤ YN0000: ┌ Resolution step
➤ YN0002: │ @endemolshinegroup/cosmiconfig-typescript-loader@npm:3.0.2 [714f3] doesn't provide typescript (p88d18), requested by ts-node
➤ YN0002: │ @yarnpkg/gatsby@workspace:packages/gatsby doesn't provide @emotion/core (pa19bb), requested by gatsby-plugin-mdx
➤ YN0002: │ @yarnpkg/gatsby@workspace:packages/gatsby doesn't provide webpack (pe1aa2), requested by gatsby-plugin-favicon
➤ YN0060: │ @yarnpkg/monorepo@workspace:. provides eslint (pf82c3) with version 8.2.0, which doesn't satisfy what @yarnpkg/eslint-config and some of its descendants request
➤ YN0002: │ acceptance-tests@workspace:packages/acceptance-tests doesn't provide jest (pcc8ab), requested by jest-json
➤ YN0002: │ gatsby-cli@npm:3.14.0 [7243a] doesn't provide ink (p4a7fc), requested by gatsby-recipes
➤ YN0060: │ gatsby-recipes@npm:0.25.0 [bb88b] provides graphql (pc0633) with version 15.5.0, which doesn't satisfy what graphql-subscriptions requests
➤ YN0002: │ gatsby@npm:3.14.0 [118b2] doesn't provide babel-eslint (p70342), requested by eslint-config-react-app
➤ YN0002: │ react-instantsearch-dom@npm:6.6.0 [118b2] doesn't provide algoliasearch (p65251), requested by algoliasearch-helper
➤ YN0002: │ react-instantsearch-dom@npm:6.6.0 [118b2] doesn't provide algoliasearch (p5ab0d), requested by react-instantsearch-core
➤ YN0000: │ Some peer dependencies are incorrectly met; run yarn explain peer-requirements <hash> for details, where <hash> is the six-letter p-prefixed code
➤ YN0000: └ Completed in 0s 442ms
➤ YN0000: ┌ Fetch step
➤ YN0000: └ Completed in 0s 869ms
➤ YN0000: ┌ Link step
➤ YN0005: │ core-js@npm:2.6.11 lists build scripts, but its build has been explicitly disabled through configuration.
➤ YN0005: │ core-js@npm:3.18.0 lists build scripts, but its build has been explicitly disabled through configuration.
➤ YN0005: │ gatsby-telemetry@npm:2.14.0 lists build scripts, but its build has been explicitly disabled through configuration.
➤ YN0005: │ gatsby@npm:3.14.0 [118b2] lists build scripts, but its build has been explicitly disabled through configuration.
➤ YN0005: │ core-js-pure@npm:3.21.1 lists build scripts, but its build has been explicitly disabled through configuration.
➤ YN0005: │ gatsby-cli@npm:3.14.0 [7243a] lists build scripts, but its build has been explicitly disabled through configuration.
➤ YN0005: │ fsevents@patch:fsevents@npm%3A1.2.13#optional!builtin<compat/fsevents>::version=1.2.13&hash=18f3a7 lists build scripts, but its build has been explicitly disabled through configuration.
➤ YN0000: └ Completed in 0s 383ms
➤ YN0000: Done with warnings in 2s 112ms
@dkhaye dkhaye changed the title Upgrade parse-path to avoid Authorization Bypass vulnerability fix(plugin-git) Upgrade parse-path to avoid Authorization Bypass vulnerability Jul 18, 2022
@dkhaye dkhaye changed the title fix(plugin-git) Upgrade parse-path to avoid Authorization Bypass vulnerability fix(plugin-git): Upgrade parse-path to avoid Authorization Bypass vulnerability Jul 18, 2022
@merceyz merceyz changed the title fix(plugin-git): Upgrade parse-path to avoid Authorization Bypass vulnerability deps(git): update git-url-parse Jul 18, 2022
merceyz
merceyz requested changes Jul 18, 2022
View reviewed changes
Copy link
Member

@merceyz merceyz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like that version is a bit buggy so I'll put this on hold for now.

@mhassan1
Copy link
Contributor

mhassan1 commented Jul 27, 2022
edited
Loading

Based on the result of IonicaBizau/parse-url#46, it seems like git://github.com:user/repo will no longer be supported in git-url-parse@12 and higher. It seems like that could be a breaking change for Yarn users.

It seems like we are only using git-url-parse here and here for:

httpUtils.getNetworkSettings(`https://${GitUrlParse(normalizedRepoUrl).resource}`, {configuration})

Maybe we can remove our dependency on this package completely, since we are already doing URL normalization in normalizeRepoUrl.

@mhassan1
Copy link
Contributor

mhassan1 commented Jul 27, 2022
edited
Loading

I added a couple of test cases locally in gitUtils.test.ts:

  it(`should properly normalize ${pattern} ({ git: false })`, () => {
    expect(gitUtils.normalizeRepoUrl(pattern)).toMatchSnapshot();
+   expect(GitUrlParse(gitUtils.normalizeRepoUrl(pattern)).resource).toMatchSnapshot();
  });
  it(`should properly normalize ${pattern} ({ git: true })`, () => {
    expect(gitUtils.normalizeRepoUrl(pattern, {git: true})).toMatchSnapshot();
+   expect(GitUrlParse(gitUtils.normalizeRepoUrl(pattern, {git: true})).resource).toMatchSnapshot();
  });

The snapshots are the same between git-url-parse@11 and git-url-parse@12. So at least none of the test patterns are affected by the upgrade.

@arcanis arcanis requested a review from merceyz August 4, 2022 11:58
@mhassan1
Copy link
Contributor

mhassan1 commented Sep 1, 2022

The reported change in behavior in git-url-parse has been closed as not a problem. It seems like Yarn users should not be affected by it.

@dkhaye
Copy link
Contributor Author

dkhaye commented Sep 26, 2022
edited
Loading

Looks like that version is a bit buggy so I'll put this on hold for now.

@merceyz Can you look at this again?

As indicated by @mhassan1 here, the issue was closed as not being a problem.

For good measure, I went ahead and updated to the latest, 13.1.0.
There is another possible issue, but as indicated by @mhassan1 here this is not relevant to how this package is used within yarn.

@mhassan1
Copy link
Contributor

@dkhaye It looks like there are conflicts now.

@dkhaye
Copy link
Contributor Author

dkhaye commented Oct 25, 2022

@mhassan1 re-merged master
@merceyz PTAL

@mhassan1
Copy link
Contributor

mhassan1 commented Nov 8, 2022

@dkhaye It looks like there are conflicts again.

@dkhaye
Copy link
Contributor Author

dkhaye commented Nov 8, 2022

@mhassan1 Thanks again.
For posterity, my method of resolving conflicts on this branch has been:

git pull origin master
git checkout origin/master -- .yarn/cache .pnp.cjs yarn.lock
yarn install
yarn dedupe

@merceyz and @arcanis any chance this can get re-reviewed?

@arcanis
Copy link
Member

arcanis commented Nov 8, 2022

Sorry for the delay, the tests pass so I think we can merge it.

Note however that as a general policy, I tend to avoid auto-updating dependencies on this repository unless they actually fix something in Yarn (under the premise that blind upgrades are just as risky if not more, as we bring untested and often unneeded new code). The issue reported in #4623 isn't attached to an actual exploitation showcase against Yarn, so upgrading git-url-parse wouldn't seem useful except for the benefit of third-party services like Snyk.

Still, I appreciate you taking time to address an open ticket!

@arcanis arcanis merged commit 8171d09 into yarnpkg:master Nov 8, 2022
merceyz added a commit that referenced this pull request Nov 8, 2022
@dkhaye @merceyz
deps(git): update git-url-parse (#4635)
5fe3c5d 
* checkpoint

* add version info

* run ➤ YN0000: ┌ Deduplication step
➤ YN0000: │ No packages can be deduped using the highest strategy
➤ YN0000: └ Completed in 0s 264ms
➤ YN0000: ┌ Resolution step
➤ YN0002: │ @endemolshinegroup/cosmiconfig-typescript-loader@npm:3.0.2 [714f3] doesn't provide typescript (p88d18), requested by ts-node
➤ YN0002: │ @yarnpkg/gatsby@workspace:packages/gatsby doesn't provide @emotion/core (pa19bb), requested by gatsby-plugin-mdx
➤ YN0002: │ @yarnpkg/gatsby@workspace:packages/gatsby doesn't provide webpack (pe1aa2), requested by gatsby-plugin-favicon
➤ YN0060: │ @yarnpkg/monorepo@workspace:. provides eslint (pf82c3) with version 8.2.0, which doesn't satisfy what @yarnpkg/eslint-config and some of its descendants request
➤ YN0002: │ acceptance-tests@workspace:packages/acceptance-tests doesn't provide jest (pcc8ab), requested by jest-json
➤ YN0002: │ gatsby-cli@npm:3.14.0 [7243a] doesn't provide ink (p4a7fc), requested by gatsby-recipes
➤ YN0060: │ gatsby-recipes@npm:0.25.0 [bb88b] provides graphql (pc0633) with version 15.5.0, which doesn't satisfy what graphql-subscriptions requests
➤ YN0002: │ gatsby@npm:3.14.0 [118b2] doesn't provide babel-eslint (p70342), requested by eslint-config-react-app
➤ YN0002: │ react-instantsearch-dom@npm:6.6.0 [118b2] doesn't provide algoliasearch (p65251), requested by algoliasearch-helper
➤ YN0002: │ react-instantsearch-dom@npm:6.6.0 [118b2] doesn't provide algoliasearch (p5ab0d), requested by react-instantsearch-core
➤ YN0000: │ Some peer dependencies are incorrectly met; run yarn explain peer-requirements <hash> for details, where <hash> is the six-letter p-prefixed code
➤ YN0000: └ Completed in 0s 442ms
➤ YN0000: ┌ Fetch step
➤ YN0000: └ Completed in 0s 869ms
➤ YN0000: ┌ Link step
➤ YN0005: │ core-js@npm:2.6.11 lists build scripts, but its build has been explicitly disabled through configuration.
➤ YN0005: │ core-js@npm:3.18.0 lists build scripts, but its build has been explicitly disabled through configuration.
➤ YN0005: │ gatsby-telemetry@npm:2.14.0 lists build scripts, but its build has been explicitly disabled through configuration.
➤ YN0005: │ gatsby@npm:3.14.0 [118b2] lists build scripts, but its build has been explicitly disabled through configuration.
➤ YN0005: │ core-js-pure@npm:3.21.1 lists build scripts, but its build has been explicitly disabled through configuration.
➤ YN0005: │ gatsby-cli@npm:3.14.0 [7243a] lists build scripts, but its build has been explicitly disabled through configuration.
➤ YN0005: │ fsevents@patch:fsevents@npm%3A1.2.13#optional!builtin<compat/fsevents>::version=1.2.13&hash=18f3a7 lists build scripts, but its build has been explicitly disabled through configuration.
➤ YN0000: └ Completed in 0s 383ms
➤ YN0000: Done with warnings in 2s 112ms

* chore: change release type

* fix .pnp.cjs

* upgrade git-url-parse to 13.1.0

* add missing .yarn/ files

* run yarn dedupe

* run 'yarn dedupe'

Co-authored-by: merceyz <[email protected]>
@legobeat legobeat mentioned this pull request Jul 6, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@merceyz merceyz Awaiting requested review from merceyz

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Bug?]: Vulnerability introduced through parse-path transitive dependency
4 participants
@dkhaye @mhassan1 @arcanis @merceyz