Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade to Yarn 4 and fix vulnerability check #3353

Merged
merged 9 commits into from
May 22, 2024
Merged

Upgrade to Yarn 4 and fix vulnerability check #3353

merged 9 commits into from
May 22, 2024

Conversation

ramondeklein
Copy link
Collaborator

@ramondeklein ramondeklein commented May 21, 2024
edited
Loading

See #3354. This upgrades Yarn to v4 to enable advisory suppression.

@ramondeklein ramondeklein self-assigned this May 21, 2024
@ramondeklein ramondeklein marked this pull request as draft May 21, 2024 18:56
@ramondeklein ramondeklein reopened this May 21, 2024
@ramondeklein ramondeklein force-pushed the fix-pdfjs-vulnerability branch from b604113 to 3b47d5e Compare May 21, 2024 19:33
@harshavardhana
Copy link
Member

@ramondeklein how about we move to latest yarn - we shouldn't have to use yarn1 we don't have a specific dependency.

@ramondeklein ramondeklein force-pushed the fix-pdfjs-vulnerability branch from 3b47d5e to eef298b Compare May 21, 2024 19:37
@ramondeklein ramondeklein force-pushed the fix-pdfjs-vulnerability branch 2 times, most recently from af9e896 to 0cf25c6 Compare May 21, 2024 19:53
@ramondeklein ramondeklein linked an issue May 21, 2024 that may be closed by this pull request
Fix pdfjs-dist vulnerability (advisory: 1097244) #3354
Closed
@ramondeklein
Copy link
Collaborator Author

@ramondeklein how about we move to latest yarn - we shouldn't have to use yarn1 we don't have a specific dependency.

I was just working on that 👍🏻

@ramondeklein ramondeklein changed the title Fix vulnerability check Upgrade to Yarn 4 and fix vulnerability check May 21, 2024
@ramondeklein ramondeklein force-pushed the fix-pdfjs-vulnerability branch from 0cf25c6 to 980063f Compare May 21, 2024 20:00
@ramondeklein ramondeklein force-pushed the fix-pdfjs-vulnerability branch from 980063f to 7a5c5fd Compare May 21, 2024 20:15
@ramondeklein ramondeklein force-pushed the fix-pdfjs-vulnerability branch from 8cc0b2c to 91b52f6 Compare May 21, 2024 20:53
@ramondeklein ramondeklein force-pushed the fix-pdfjs-vulnerability branch from 99a992a to 8cdf28d Compare May 22, 2024 07:51
@ramondeklein ramondeklein mentioned this pull request May 22, 2024
Closed
@ramondeklein
Copy link
Collaborator Author

The following changes have been made:

  • Enable corepack to enable versioned package managers (required to run Yarn 4).
  • Use the .nvmrc file in all places where the ${{ env.NVMRC }} was used to install NodeJS.
  • Use yarn npm audit (Yarn 4) instead of yarn audit (Yarn 1) and ignore the specific advisory.
  • Fix the script to detect dead code (it looks like Yarn 4 doesn't use the default shell to run commands).

@ramondeklein ramondeklein marked this pull request as ready for review May 22, 2024 08:43
@ramondeklein ramondeklein requested a review from bexsoft May 22, 2024 08:43
@shtripat shtripat mentioned this pull request May 22, 2024
Merged
harshavardhana
harshavardhana previously approved these changes May 22, 2024
View reviewed changes
@harshavardhana
Copy link
Member

This coverage limit check is a BS check can this be removed

Total: 63.75 KiB, Transferred: 63.75 KiB, Speed: 110.09 KiB/s
Access permission for `play/builds` is set to `public`
grep to obtain the result
Result:
22.7%
It is smaller than threshold (65.0%) value, failed!
Error: Process completed with exit code 1.

?

@ramondeklein
Copy link
Collaborator Author

@harshavardhana Minimum coverage of 65% percent also seems very low to me. If you want test coverage, then you should go for 100% coverage. It's the exceptions that always result in bugs. The standard codepath typically works fine, because everyone is using that every day.

This check was already there (and already failing for a while), but I can remove it.

@harshavardhana
Copy link
Member

@harshavardhana Minimum coverage of 65% percent also seems very low to me. If you want test coverage, then you should go for 100% coverage. It's the exceptions that always result in bugs. The standard codepath typically works fine, because everyone is using that every day.

This check was already there (and already failing for a while), but I can remove it.

I have changed the threshold to 1.0 to avail enough time to address the coverage whenever we can.

@harshavardhana
Copy link
Member

Okay, I'm going to merge this since we need to proceed to make a Console tag soon.

@dvaldivia dvaldivia merged commit 15635ec into minio:master May 22, 2024
34 checks passed
bexsoft
bexsoft approved these changes May 22, 2024
View reviewed changes
.github/workflows/jobs.yaml
@@ -1103,7 +1162,7 @@ jobs:
go tool cover -func=all.out | grep total > tmp2
result=`cat tmp2 | awk 'END {print $3}'`
result=${result%\%}
threshold=65.0
threshold=1.0
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can have a discussion on this as sometimes this value fluctuates when we build the UI (No Golang code), I think we can keep this value at least in 25

harshavardhana pushed a commit that referenced this pull request May 23, 2024
@ramondeklein @harshavardhana
Upgrade to Yarn 4 and fix vulnerability check (#3353)
cfd60bd
@ramondeklein ramondeklein deleted the fix-pdfjs-vulnerability branch May 29, 2024 16:53
@ramondeklein ramondeklein mentioned this pull request Jun 4, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bexsoft bexsoft bexsoft approved these changes

@dvaldivia dvaldivia dvaldivia approved these changes

@harshavardhana harshavardhana harshavardhana approved these changes

@cesnietor cesnietor Awaiting requested review from cesnietor

Assignees

@ramondeklein ramondeklein

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Fix pdfjs-dist vulnerability (advisory: 1097244)
4 participants
@ramondeklein @harshavardhana @dvaldivia @bexsoft