Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update uglify-js #26

Closed
AlexanderMoskovkin opened this issue Dec 21, 2016 · 7 comments
Closed

Update uglify-js #26

AlexanderMoskovkin opened this issue Dec 21, 2016 · 7 comments
Assignees
@AndreyBelym @AlexanderMoskovkin
Labels
TYPE: bug

Comments

@AlexanderMoskovkin
Copy link
Contributor

to fix vulnerabilities: https://nodesecurity.io/check/testcafe-legacy-api
@Zarel
Copy link

Zarel commented Nov 22, 2017
edited
Loading

GitHub is now complaining about this in every project that uses testcafe at all...

https://github.com/blog/2470-introducing-security-alerts-on-github

(I'm not sure why testcafe requires testcafe-legacy-api in the first place)

@AlexanderMoskovkin AlexanderMoskovkin self-assigned this Nov 22, 2017
@AlexanderMoskovkin
Copy link
Contributor Author

Hi @Zarel,

Thanks for pointing this out. We'll force our work on this issue.

@AlexanderMoskovkin
Copy link
Contributor Author

I'm working on this

@AlexanderMoskovkin
Copy link
Contributor Author

I've investigated it. Now we use [email protected]. To fix vulnerabilities we need to update to >=2.6.0. To migrate from 1.x.x to 2.x.x we should rewrite our legacy api compilator. Uglify JS was completely reworked after 1.x.x. Another API, another internal structure of ast. So it can take some additional time to update this.

The testcafe-legacy-api module is used by testcafe when you run tests written by using the legacy api syntax which was implemented for the previous paid TestCafe version. So the problem is not actual if you run tests written by using the new API.

@Zarel
Copy link

Zarel commented Nov 24, 2017

I mean, that's all fair, but npm doesn't actually support not installing unnecessary dependencies (they basically don't seem to care about optional dependencies at all; see npm/npm#17633), so [email protected] is still installed by default when someone types npm install testcafe, so GitHub will still issue security warnings to every repository that has testcafe in its package.json dependencies.

In summary: If someone types npm install testcafe in a GitHub repo, GitHub will give them a security warning. It's up to you what you want to do about that, but just be aware that that's the case.

@AlexanderMoskovkin
Copy link
Contributor Author

AlexanderMoskovkin commented Nov 24, 2017
edited
Loading

Now testcafe-legacy-api doesn't have uglify-js in the package.json.
After some investigation I've found the following things. It's marked that [email protected] has two vulnerabilities.

In fact one of them (https://nodesecurity.io/advisories/39) is actual only for 2.0.0 - 2.4.23 versions. It works properly with the 1.x.x.
The other (https://nodesecurity.io/advisories/48) is actual for 1.x.x.

I've copied required uglify-js scripts to our repository, fixed the vulnerability error and added tests for this.

@Zarel
Copy link

Zarel commented Nov 24, 2017

Oh, I see! Yeah, that's a good solution.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@AndreyBelym AndreyBelym

@AlexanderMoskovkin AlexanderMoskovkin

Labels
TYPE: bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Zarel @AndreyBelym @AlexanderMoskovkin