Skip to content

Commit

Permalink
build(yarn): add plugin-interactive-filter to manage deps per-package
Browse files Browse the repository at this point in the history
This plugin allows to resolve some CVEs more surgically that are found in indirect
dependencies which are difficult to upgrade without triggering a large change
needed and potential migrations, breaking changes to the public APIs of packages.

The reason why the above problem happens is because `yarn up` and `yarn up -R`
are blunt instruments when it comes to managing a monorepo such as ours:
They do their upgrade all-or-nothing, e.g. you can't upgrade a single dependency
in a single monorepo package, you must upgrade the dependency project-wide
with the mentioned tools, but sometimes we need to perform the upgrade just in a
single monorepo package.

For example to the above, about 20 packages use web3 but only about 5 of those
are using v4.x versions of web3. A new CVE came out covering v4.1.x and so
I needed to upgrade web3 only in those packages where web3 was already above
v4.0.0 and leave the older ones alone (surgical upgrades).

To accomplish this I've found no way to do it with stock yarn CLI commands, but
someone who had the exact same problem had written a plugin for solving it.

The original issue reported to yarn with the same problem we are having:
yarnpkg/berry#2591

The repository where the plugin resides that we are adding in this commit in
order to remediate the problem of lack of surgical (per-package) upgrades:
https://github.com/eyolas/yarn-plugin-interractive-filter

The original CVE that I was investigating as I stumbled upon the solution:
- https://github.com/hyperledger/cacti/pull/3264
- https://github.com/hyperledger/cacti/security/dependabot/987

Signed-off-by: Peter Somogyvari <[email protected]>
  • Loading branch information
petermetz committed Jun 6, 2024
1 parent 49e7191 commit 13f457c
Show file tree
Hide file tree
Showing 2 changed files with 378 additions and 0 deletions.
Loading

1 comment on commit 13f457c

@github-actions
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Performance Alert ⚠️

Possible performance regression was detected for benchmark.
Benchmark result of this commit is worse than the previous benchmark result exceeding threshold 0.05.

Benchmark suite Current: 13f457c Previous: 6994e5b Ratio
plugin-ledger-connector-besu_HTTP_GET_getOpenApiSpecV1 716 ops/sec (±3.15%) 737 ops/sec (±2.91%) 1.03

This comment was automatically generated by workflow using github-action-benchmark.

CC: @petermetz

Please sign in to comment.