惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

S
Securelist
C
CERT Recently Published Vulnerability Notes
Forbes - Security
Forbes - Security
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
L
LINUX DO - 最新话题
The Hacker News
The Hacker News
Google Online Security Blog
Google Online Security Blog
SecWiki News
SecWiki News
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
The Last Watchdog
The Last Watchdog
S
Schneier on Security
T
Troy Hunt's Blog
N
News | PayPal Newsroom
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Schneier on Security
Schneier on Security
P
Privacy & Cybersecurity Law Blog
T
Tor Project blog
T
Threatpost
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
A
Arctic Wolf
S
Secure Thoughts
P
Proofpoint News Feed
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Security Latest
Security Latest
Scott Helme
Scott Helme
Security Archives - TechRepublic
Security Archives - TechRepublic
Latest news
Latest news
PCI Perspectives
PCI Perspectives
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Hacker News - Newest:
Hacker News - Newest: "LLM"
L
LINUX DO - 热门话题
P
Palo Alto Networks Blog
www.infosecurity-magazine.com
www.infosecurity-magazine.com
G
GRAHAM CLULEY
V2EX - 技术
V2EX - 技术
Google DeepMind News
Google DeepMind News
Project Zero
Project Zero
V
Vulnerabilities – Threatpost
T
Threat Research - Cisco Blogs
Webroot Blog
Webroot Blog
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
N
News and Events Feed by Topic
TaoSecurity Blog
TaoSecurity Blog
大猫的无限游戏
大猫的无限游戏
T
Tenable Blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
V
Visual Studio Blog
H
Hacker News: Front Page
Simon Willison's Weblog
Simon Willison's Weblog
AWS News Blog
AWS News Blog

oida.dev | TypeScript, Rust

TypeScript's `erasableSyntaxOnly` Flag Unsafe for work Tokio: Macros Tokio: Channels Tokio: Getting Started Network Applications on the Tokio Stack Remake, Remodel, Reduce. The `never` type and error handling in TypeScript 5 Inconvenient Truths about TypeScript Refactoring in Rust: Introducing Traits Refactoring in Rust: Abstraction with the Newtype Pattern Announcing the TypeScript Cookbook TypeScript: Iterating over objects The road to universal JavaScript 10 years of oida.dev Rust: Tiny little traits The TypeScript converging point How not to learn TypeScript Getting started with Rust Introducing Slides and Coverage TypeScript: The humble function overload TypeScript + React: Children types are broken TypeScript: In defense of any Rust: Enums to wrap multiple errors Dissecting Deno Error handling in Rust TypeScript: Unexpected intersections TypeScript: Array.includes on narrow types TypeScript + React: Typing Generic forwardRefs shared, util, core: Schroedinger's module names Learning Rust and Go TypeScript: Narrow types in catch clauses TypeScript: Low maintenance types Tidy TypeScript: Name your generics Tidy TypeScript: Avoid traditional OOP patterns Tidy TypeScript: Prefer type aliases over interfaces Tidy TypeScript: Prefer union types over enums My new book: TypeScript in 50 Lessons Go Preact! ❤️ this in JavaScript and TypeScript TypeScript and ECMAScript Modules TypeScript + React: Why I don't use React.FC TypeScript + React: Component patterns TypeScript: Augmenting global and lib.dom.d.ts Vite with Preact and TypeScript TypeScript: Union to intersection type 11ty: Generate Twitter cards automatically Are large node module dependencies an issue? TypeScript: Variadic Tuple Types Preview TypeScript: Improving Object.keys Remake, Remodel. Part 4. TypeScript + React: Typing custom hooks with tuple types TypeScript: Assertion signatures and Object.defineProperty TypeScript: Check for object properties and narrow down type Boolean in JavaScript and TypeScript void in JavaScript and TypeScript Symbols in JavaScript and TypeScript Why I use TypeScript TypeScript + React: Extending JSX Elements TypeScript: Validate mapped types and const context TypeScript: Match the exact object shape TypeScript: The constructor interface pattern Streaming your Meetup - Part 4: Directing and Streaming with OBS Streaming your Meetup - Part 3: Speaker audio Streaming your Meetup - Part 2: Speaker video Streaming your Meetup - Part 1: Basics and Projector TypeScript and React Guide: Added a new styles chapter TypeScript and React Guide: Added a new render props chapter TypeScript and React: Styles and CSS TypeScript and React TypeScript and React Guide: Added a new prop types chapter TypeScript without TypeScript -- JSDoc superpowers TypeScript: Mapped types for type maps JAMStack vs serverless web apps The Unsung Benefits of JAMStack Sites TypeScript: Ambient modules for Webpack loaders My most favourite talks in 2018 TypeScript and React Guide: Added a new context chapter TypeScript: Built-in generic types TypeScript: Type predicates JSX is syntactic sugar TypeScript and React Guide: Added a new hooks chapter Getting your CfP application right FAQ on our Angular Connect Talk: Automating UI development TypeScript and Substitutability Debugging Node.js apps in TypeScript with Visual Studio Code From Medium: Deconfusing Pre- and Post-processing From Medium: PostCSS misconceptions Saving and scraping a website with Puppeteer Cutting the mustard - 2018 edition Wordpress as CMS for your JAMStack sites My most favourite podcast episodes in 2017 My most favourite talks in 2017 My most favourite books in 2017 The Best Request Is No Request, Revisited Not so hidden figures - Organizing ScriptConf My podcast journey to ScriptCast Grid layout, grid layout everywhere! #scriptconf and #devone Object streams in Node.js
Upgrading Node.js dependencies after a yarn audit
2021-07-07 · via oida.dev | TypeScript, Rust

It’s Tuesday! The day of your weekly dependabot alerts from GitHub! A nice reminder to check on your projects, and usually just a few clicks worth of work, the automatic update is wonderful.

If it doesn’t, a quick npm audit fix might be able to do all updates without any issues. Oh wait, this project has a yarn.lock file! How should I deal with that? A yarn audit fix does not exist and won’t happen! What should I do? Check the lockfile manually?

Come on, usually yarn audits look like this:

4566 vulnerabilities found - Packages audited: 990
Severity: 1 Low | 89 Moderate | 4476 High
✨ Done in 4.66s.

🥲

Nah, there’s a better way. Or even better ways. Please note that my experiences deal with Yarn versions 1, which are widely used until this day. I didn’t take into account upcoming versions like berry.

The maybe-its-good-enough #

This is the easiest way. Step 1: Remove your lockfile and node_modules!

$ rm yarn.lock
$ rm -rf node_modules

Cool. Step 2. Create a new lockfile by installing everything again.

$ yarn install

Step 3. Check again!

$ yarn audit

Maybe that’s all you needed. Just a fresh install of your existing dependencies, where all the transient dependencies got an update to the most recent versions. If that’s not good enough, go the long way down.

The long way down #

The long way down includes upgrading your dependencies manually, either by yarn upgrade or the more elaborate yarn upgrade-interactive

$ yarn upgrade-interactive

The latter one gives you a nice view where you can select which packages you want to update. Also in which state they are: Need an update but are within SEMVER constraints, or do they potentially break everything along the way. SEMVER and Node.js are a double-edged sword. It’s great as long people know the constraints and implications of SEMVER and stick to it. That might not be always the case, though.

But hey, let’s upgrade everything along the way and see how it turns out.

23 vulnerabilities found - Packages audited: 1126
Severity: 1 Low | 10 Moderate | 12 High
✨ Done in 1.42s.

Nice, that’s a lot less than earlier on… there are still a couple of dependencies that are vulnerable. The audit also tells us which versions are affected and which ones feature patches.

This is actually the part that sometimes makes me a little sad. If you see a couple of version gates in your dependency that fix the problem, it sometimes tells us that developers spend the time to do backports of security fixes just to give folks who are within SEMVER constraints a chance to use the old version of their package.

Still, we’re not able to upgrade.

But what we can do is to tell Yarn which version to use for which deep-nested dependency. E.g. if we want to upgrade all uses of glob-parent, let’s add a resolution in our package.json

"resolutions": {
"**/glob-parent": "^5.1.2"
}

The pattern here tells us that we want to update all transitive dependencies to version 5.1.2. If we want to update e.g. just the version of glob-parent for chokidar to a different version, we would use chokidar/**/glob-parent for that. See selective dependency resolutions for more detail.

Did it help? A little bit!

20 vulnerabilities found - Packages audited: 1122
Severity: 1 Low | 7 Moderate | 12 High
✨ Done in 1.50s.

Now let’s continue with all the other dependencies as well and enjoy your Tuesday!

Shortcut #

The other solution is to take the shortcut and let NPM handle the audit and fix it. This is the thing I usually do.

First, I install just a package-lock.json

$ npm i --package-lock-only

No actual module installations, just an overview of what NPM thinks needs to be done. It boils down to a few dependencies. Those are the ones that are not resolved by a fresh install and need a fix. Instead of showing every dependency resolution, NPM shows the packages that are vulnerable.

found 3 vulnerabilities (1 low, 2 moderate)
run `npm audit fix` to fix them, or `npm audit` for details

An audit gives us more information.

$ npm audit
=== npm audit security report ===

# Run npm install --save-dev [email protected] to resolve 1 vulnerability
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ yargs-parser │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ concurrently [dev]
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ concurrently > yargs > yargs-parser │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1500 │
└───────────────┴──────────────────────────────────────────────────────────────┘

# Run npm install --save-dev [email protected] to resolve 1 vulnerability
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Regular expression denial of service
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ glob-parent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ nodemon [dev]
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ nodemon > chokidar > glob-parent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1751 │
└───────────────┴──────────────────────────────────────────────────────────────┘

# Run npm install --save-dev [email protected] to resolve 1 vulnerability
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Regular expression denial of service
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ glob-parent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ webpack [dev]
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ webpack > watchpack > watchpack-chokidar2 > chokidar >
│ │ glob-parent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1751 │
└───────────────┴──────────────────────────────────────────────────────────────┘

found 3 vulnerabilities (1 low, 2 moderate) in 1092 scanned packages
3 vulnerabilities require semver-major dependency updates.

NPM has the possibility to auto-fix:

$ npm audit fix

And if there are SEMVER warnings, let’s manually check each dependency override all warnings and upgrade anyway.

$ npm audit fix --force

NPM updates everything accordingly. Time to create a new yarn.lock file. Remove the old one and call yarn import.

$ rm yarn.lock
$ yarn import

Yarn will create the lockfile based on your package-lock.json. No need for package-lock.json anymore, so let’s get rid of it and do another audit.

$ rm package-lock.json 
$ yarn audit
yarn audit v1.22.10
0 vulnerabilities found - Packages audited: 945
✨ Done in 1.20s.

✨ indeed. Commit, push, and get rid of all your dependabot alerts.

A cry for help #

This is what I found out while maintaining some projects from the past that screamed red warnings at me because of outdated dependencies. To be fair, I never used Yarn extensively so I can’t tell if I missed something peculiar. If I missed something, I’m more than happy to get in contact with you! Cheers!

Update: Alex introduced me to yarn-audit-fix, which should help in this matter. Thank you!

Related Articles