-
Notifications
You must be signed in to change notification settings - Fork 64
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
vulnerabilities after update quasar-app-extension-testing-unit-jest 3.0.0 #378
Comments
@rstoenescu Could I get some feedback here please? |
@tinohager Pinging @IlCallo , which is the daddy of the q-testing suite :) |
@tinohager sorry, I'm really busy these months I'm trying to fix it, but I'm having an hard time understanding npm quirks Edit: seems like I fixed it, check out latest release |
I'm gonna assume the problem is solved and close this due to lack of response |
@IlCallo the issue has unfortunately not yet been resolved quasar upgrade -i
npm audit fix
|
I have now created two quasar projects from scratch (webpack and vite). After that I tried to add “quasar ext add @quasar/testing-unit-jest”. webpack
vite
|
You cannot use the Jest AE on a Vite project That aside, try upgrading your Coming back to the project you're upgrading, have you tried to delete package-lock and re-installing? |
The basic problem is that it does not work with a new quasar project either. As long as this is the case, it will probably not work for my project either. |
In the Documentation of quasar "https://github.com/quasarframework/quasar/blob/dev/docs/src/pages/quasar-cli-vite/testing-and-auditing.md" This part is wrong? quasar ext add @quasar/testing-unit-jest Installing
|
It's unbelievable how many dependencies there are here |
Welcome to JS ecosystem, and Jest sub-ecosystem in particular :) I just tried creating a new Quasar TS project with Webpack using NPM @rstoenescu we need to add an override field when using NPM to force the usage of the old TS version, since we cannot upgrade it in app-webpack-v3 due to Here's the fix to apply on the "overrides": {
"typescript": "~4.9.5"
} This is for pnpm instead "pnpm": {
"overrides": {
"typescript": "^4.9.4"
}
}, Yarn seems to do fine without overrides or resolutions fields This should be the package.json where to add the fix: https://github.com/quasarframework/quasar/blob/dev/create-quasar/templates/app/quasar-v2/ts-webpack-3/BASE/_package.json That said, a couple ESLint related to TS deps are too old, that's why there are problems when installing Jest AE Here are the dependencies to bump Then I added Jest AE and I indeed got the reported vulnerabilities you mentioned The problem doesn't seem that severe to me, since it's a problem related to unit testing and it won't affect the app at runtime Reference: davestewart/alias-hq#77 |
Notice that the problems here come from really old packages deep into the JS ecosystem https://github.com/facebook/jscodeshift is currently trying to get back on track after years without an official maintainer On top of that, many of these vulnerabilities aren't really exploitable if not in super rare cases, as I guess the whole ecosystem needs a major overhaul to fix these kind of stuff, which are way out of our scope and possibilities The patched versions don't seem to have breaking changes aside being rewritten in ESM so you can try adding overrides to avoid those reports and see if everything works fine "overrides": {
"vue-jscodeshift-adapter": "^3.0.0",
"micromatch": "^4.0.7"
}, If they do, we could consider making the AE automatically add it when using NPM, but it's additional complexity for a minimal risk, so I'm not sure we actually want to take care of it
|
Is this a pure NPM problem, would I be better off with The package dependencies and possible attacks on the dependencies are probably becoming an increasingly important topic. I also believe that there is a need to catch up here in the future. The question is how we deal with it at the moment. As a responsible developer, I naturally don't want to ignore the warnings and think that nothing will happen. |
Both That said, the overrides will fix vulnerabilities, except than for NPM which complains about |
Are there alternatives if the package no longer receives an update? |
We haven't explored that, but if there is a possible replacement to avoid the vulnerability disclaimer, we can try that |
|
Released v3.0.3 bumping that dependency, but |
I have added the information to the maintainer again |
Thanks! |
It seems that there is no longer any real maintenance for the project. |
Give it some more time, usually open source maintainers work in bursts with cycles every couple months, as they have to balance work, life and contributions |
After the latest update I have problems with the test project.
I have already tested it with a completely new project and here too the errors occur immediately. I also don't understand why it suggests the old version in the npm audit.
quasar upgrade -i
Found vulnerabilities
npm audit fix
The text was updated successfully, but these errors were encountered: