Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[users/v-imaga/Security-update-bump-tar-to-4.4.15-or-later] fix: security-update-bump tar to 4.4.15 or later #5093

Merged
merged 2 commits into from
Aug 19, 2021
Merged

[users/v-imaga/Security-update-bump-tar-to-4.4.15-or-later] fix: security-update-bump tar to 4.4.15 or later #5093

merged 2 commits into from
Aug 19, 2021

Conversation

radium-v
Copy link
Collaborator

Pull Request

πŸ“– Description

Updates tar lockfile entries to 4.4.17 and 6.1.8.

🎫 Issues

#5035

πŸ‘©β€πŸ’» Reviewer Notes

To replicate this process:

Prerequisite: install yarn-deduplicate globally with yarn global add yarn-deduplicate.

  1. Clean your local workspace.
    git clean -dfx removes ALL untracked files! Use git clean -ndx first to see which files it will remove.
  2. Identify the affected packages and their full entries in the lockfile. It will look something like this: 
    package-name@^1.2.3, package-name@^1.2.5, package-name@^1.4.5:
  version "1.4.5"
  resolved "https://registry.yarnpkg.com/package-name/-/package-name-1.4.5.tgz#abcdef12345
  integrity sha512-abcdefghijklmnopqrstuvwxyz
  dependencies:
    another-package "^1.0.0"
    some-dependency "~3.4.5"
  3. Remove the entire entry from the lockfile.
    A find/replace for the package name won't work because the items under a package's dependencies: are immutable! They can't be changed. Yarn will always ensure that the items under dependencies: match exactly what the package says it needs. If they changed, then it must mean that the version, resolved, and integrity have also changed. If an entry's dependencies changed but the version, resolved, and integrity haven't changed, then Yarn will revert it.
  4. Run yarn --ignore-scripts to process the lockfile.
  5. Run yarn-deduplicate
    This step is needed for the monorepo because of issues with Yarn v1.
  6. Repeat steps 4 and 5 until the output reads success Already up-to-date.
    This step is needed because yarn-deduplicate doesn't sort entries, but Yarn does.
  7. Stage and commit the lockfile changes.

βœ… Checklist

General

  • I have included a change request file using $ yarn change
  • I have added tests for my changes.
  • I have tested my changes.
  • I have updated the project documentation to reflect my changes.
  • I have read the CONTRIBUTING documentation and followed the standards for this project.

@radium-v radium-v requested a review from Ibrahimmaga August 19, 2021 00:01
@Ibrahimmaga Ibrahimmaga merged commit c7905b4 into users/v-imaga/Security-update-bump-tar-to-4.4.15-or-later Aug 19, 2021
@Ibrahimmaga Ibrahimmaga deleted the users/jokreitl/Security-update-bump-tar-to-4.4.15-or-later branch August 19, 2021 22:23
Ibrahimmaga added a commit that referenced this pull request Aug 27, 2021
@Ibrahimmaga @radium-v
fix: security-update-bump tar to 4.4.15 or later (#5035)
798e603 
* fix: security-update-bump tar to 4.4.15 or later

* [users/v-imaga/Security-update-bump-tar-to-4.4.15-or-later] fix: security-update-bump tar to 4.4.15 or later (#5093)

* Revert "fix: security-update-bump tar to 4.4.15 or later"

This reverts commit 268dfa8.

* upgrade tar lockfile entries to 4.4.17 and 6.1.8

Co-authored-by: John Kreitlow <863023+radium-v@users.noreply.github.com>
robarbms pushed a commit that referenced this pull request Sep 15, 2021
@Ibrahimmaga @radium-v
fix: security-update-bump tar to 4.4.15 or later (#5035)
31024f3 
* fix: security-update-bump tar to 4.4.15 or later

* [users/v-imaga/Security-update-bump-tar-to-4.4.15-or-later] fix: security-update-bump tar to 4.4.15 or later (#5093)

* Revert "fix: security-update-bump tar to 4.4.15 or later"

This reverts commit 268dfa8.

* upgrade tar lockfile entries to 4.4.17 and 6.1.8

Co-authored-by: John Kreitlow <863023+radium-v@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chrisdholt chrisdholt chrisdholt approved these changes

@Ibrahimmaga Ibrahimmaga Awaiting requested review from Ibrahimmaga

@EisenbergEffect EisenbergEffect Awaiting requested review from EisenbergEffect

@janechu janechu Awaiting requested review from janechu

@nicholasrice nicholasrice Awaiting requested review from nicholasrice

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@radium-v @chrisdholt @Ibrahimmaga