Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dep: update compression-webpack-plugin #10391

Merged
merged 1 commit into from
Nov 8, 2021
Merged

dep: update compression-webpack-plugin #10391

merged 1 commit into from
Nov 8, 2021
+32 −239

Conversation

vince-fugnitto
Copy link
Member

@vince-fugnitto vince-fugnitto commented Nov 5, 2021
edited
Loading

What it does

The pull-request updates the use of @theia/compression-webpack-plugin (an outdated fork) to it's upstream counterpart, since the former included security vulnerabilities.

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ Insecure serialization leading to RCE in                     │
│               │ serialize-javascript                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ serialize-javascript                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.1.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @theia/application-manager                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @theia/application-manager >                                 │
│               │ @theia/compression-webpack-plugin > serialize-javascript     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1004041                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ Insecure serialization leading to RCE in                     │
│               │ serialize-javascript                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ serialize-javascript                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.1.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @theia/cli                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @theia/cli > @theia/application-manager >                    │
│               │ @theia/compression-webpack-plugin > serialize-javascript     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1004041                     │
└───────────────┴──────────────────────────────────────────────────────────────┘

The cache is now a configuration option directly from webpack, and was removed as part of [email protected].

How to test

  1. confirm that executing yarn audit --level=high does not yield results for compression-webpack-plugin
  2. confirm that the build is successful, and the generated webpack configuration is correct (examples/browser/gen-webpack.config.js)
  3. confirm that compression works examples/browser/lib/ should contain *.gz compressions such as bundle.js.gz
  4. confirm with compression off the *.gz files are not present
Compression Off

image

Review checklist

Reminder for reviewers

Signed-off-by: vince-fugnitto [email protected]

@vince-fugnitto vince-fugnitto added quality issues related to code and application quality security issues related to security dependencies pull requests that update a dependency file labels Nov 5, 2021
@vince-fugnitto vince-fugnitto self-assigned this Nov 5, 2021
msujew
msujew approved these changes Nov 8, 2021
View reviewed changes
Copy link
Member

@msujew msujew left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The dependency update looks good to me 👍

  • The dependency does not appear in the audit list anymore.
  • Files continue to be served using a compressed format. (content-encoding: gzip)
  • No additional build/bundling issues, Theia runs normally.

@vince-fugnitto vince-fugnitto force-pushed the vf/compression-webpack-plugin branch from 7afe74e to c7022e7 Compare November 8, 2021 18:03
@vince-fugnitto
dep: update compression-webpack-plugin
e62bde9 
The commit replaces the forked depedency
`@theia/compression-webpack-plugin` which was not maintained in favor of
the upstream dependency at the latest version. The original dependency
was quite old, and contained security vulnerabilities. The `cache`
option was preserved as it is now supported directly by webpack.

Signed-off-by: vince-fugnitto <[email protected]>
@vince-fugnitto vince-fugnitto force-pushed the vf/compression-webpack-plugin branch from c7022e7 to e62bde9 Compare November 8, 2021 20:09
@vince-fugnitto vince-fugnitto merged commit 01ad1b0 into master Nov 8, 2021
@vince-fugnitto vince-fugnitto deleted the vf/compression-webpack-plugin branch November 8, 2021 21:25
@github-actions github-actions bot added this to the 1.20.0 milestone Nov 8, 2021
@vince-fugnitto vince-fugnitto mentioned this pull request Nov 11, 2021
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@msujew msujew msujew approved these changes

@paul-marechal paul-marechal Awaiting requested review from paul-marechal

@marcdumais-work marcdumais-work Awaiting requested review from marcdumais-work

Assignees

@vince-fugnitto vince-fugnitto

Labels
dependencies pull requests that update a dependency file quality issues related to code and application quality security issues related to security
Projects
None yet
Milestone
1.20.0
Development

Successfully merging this pull request may close these issues.
2 participants
@vince-fugnitto @msujew