Skip to content
This repository has been archived by the owner on Dec 15, 2020. It is now read-only.

[Security] Fix 195 known vulnerabilities #72

Open
mike-north opened this issue Jul 9, 2018 · 0 comments
Open

[Security] Fix 195 known vulnerabilities #72

mike-north opened this issue Jul 9, 2018 · 0 comments

Comments

@mike-north
Copy link

This is a big can of worms to open up, but there are a bunch of security issues in this project's dependencies (mostly mocha and ember-cli). Unfortunately, upgrading ember-cli to the point where these issues are patched causes problems in this project's tests (which depend on now-removed private cli internals)

Don't use private internals of packages you depend on

Since this package was originally written, the terminal I/O stuff has been extracted to console-ui, and a feature that ember-cli-release's tests heavily rely on has been removed due to e-cli's own tests no longer needing it.

Through subclassing MockUI (once obtained from console-ui), we can get these back

function TestUI() {}
TestUI.prototype = new MockUI();

TestUI.prototype.waitForPrompt = function() {
  if (!this._waitingForPrompt) {
    var promise, resolver;
    promise = new Promise(function(resolve){
      resolver = resolve;
    });
    this._waitingForPrompt = promise;
    this._promptResolver = resolver;
  }
  return this._waitingForPrompt;
};

TestUI.prototype.prompt = function(opts, cb) {
  if (this._waitingForPrompt) {
    this._waitingForPrompt = null;
    this._promptResolver();
  }
  return MockUI.prototype.prompt.call(this, opts, cb);
}

Inquirer is annoying

I've spent a few hours digging really deep into this, and am at the point where we can no longer reliably mock answers to inquirer questions. Inquirer's own tests are a shining example of why mocking and stubbing out the whole world is a bad idea (tests aren't even run against real input/output streams, and use tons of testing helpers that aren't easily available to consumers). Because inquirer is a dependency of ember-cli (and we don't really interact with it directly), we're even farther removed from this thing that we need to alter in big ways to test effectively.

I have escalated this to the ember-cli team, and can resume working on this once I have an answer, and more OSS time

Backup plan

If beating inquirer into submission proves to time consuming or difficult, we should explore rewriting the tests in such a way that the console-ui is mocked entirely. This would be a regrettable, result of working with test-hostile dependencies of dependencies.

found 195 vulnerabilities (27 low, 112 moderate, 54 high, 2 critical)
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mike-north