-
Notifications
You must be signed in to change notification settings - Fork 5.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ugrade semver to 7.5.3 #18534
ugrade semver to 7.5.3 #18534
Conversation
Changed Packages
|
Uffizzi Preview |
How do I verify that this upgrades have fixed the vulnerability as I do not have access to run the command Also what do I do for vulnerabilities in packages that are using older version of semwer which were not listed such as in @babel/core which is using version 6.3.0 |
Hey 👋 so you can try and remove the older definitions from the |
Hey @andym0457 looks like there's some merge conflicts that have crept in here :( |
resolves backstage#18439 Signed-off-by: Andy Muldoon <andy.muldoon@ericsson.com>
8788479
to
f1f7fc5
Compare
Signed-off-by: Andy Muldoon <andy.muldoon@ericsson.com>
Hey @benjdlambert, I've address the comments left and have rebased the pull request to remove the conflicts. Here is a breakdown of which packages are still effected
6.3.0
7.0.0
I'm not sure how to deal with these as some are already on their latest and still have an old semver version in use? Or is the MR OK with upgrading the packages that can be to resolve the issue? |
Also, it's hard to see if the failures are related to this change (I wouldn't expect that they are) |
My recommendation would be to upgrade as far as is possible with the currently released sets of packages. For downstream packages that have not yet released fixes, or for further upgrades, we should continue to integrate them as they come because not all usages of the vulnerable semver package result in an exposure to the attack, so the more we can remove the sooner, the better. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The changeset isn't super important here, as the fixed version is still in the accepted range for all these packages anyways, but it's nice to have. I think that this might be the best we can do right now until other packages update their semver ranges, but this is great for now!
Going to merge this as the E2E's are failing because of upstream type issues. |
Thank you for contributing to Backstage! The changes in this pull request will be part of the |
Hey, I just made a Pull Request!
resolves #18439
✔️ Checklist
Added or updated documentationTests for new functionality and regression tests for bug fixesScreenshots attached (for UI changes)Signed-off-by
line in the message. (more info)