Skip to content

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability remediation using Yarn resolutions #3093

Closed
rarkins opened this issue Jan 21, 2019 · 4 comments
Closed

Vulnerability remediation using Yarn resolutions #3093

rarkins opened this issue Jan 21, 2019 · 4 comments
Labels
status:requirements Full requirements are not yet known, so implementation should not be started type:feature Feature (new functionality)

Comments

@rarkins
Copy link
Collaborator

rarkins commented Jan 21, 2019

Assume that:

  • There exists a vulnerability alert for a package thepackage within yarn.lock
  • There exists a known fixed minimum version (e.g. 1.8.5)

Can we "resolve" this vulnerability in all cases by simply adding it as a resolutions entry?

And should it be written just like this?

  "resolutions": {
    "thepackage": ">= 1.8.5"
  }

Would the above achieve the following dual aims?

  1. Immediately blocking the use of vulnerable < 1.8.5 versions even if some dependencies/sub-dependencies depend on versions in that range
  2. Not stopping use of greater/newer versions later once dependencies catch up and exceed this version

@arcanis could you clarify if this is a good approach to vulnerability remediation of transitive Yarn.lock dependencies?
@rarkins rarkins added type:feature Feature (new functionality) needs-requirements priority-2-high Bugs impacting wide number of users or very important features labels Jan 21, 2019
@BYK
Copy link

BYK commented Sep 10, 2019

Hi! I can say "yes" to both :)

@rarkins
Copy link
Collaborator Author

rarkins commented Sep 10, 2019

Thanks. I guess then the downside of this approach is that potentially this new version (i.e. 1.8.5 in the example) is incompatible with one or more of the downstream packages depending on it in your dependency tree?

@arcanis
Copy link

arcanis commented Sep 10, 2019
edited
Loading

Woops - didn't see that before 🤔

Yes, although there is a potential problem because it'll also force packages that are, for example, ^0.9 to jump to 1.8.5, and it allows Yarn to use 1.8.5 to resolve a range that would be ^2 - causing compatibility issues in both cases. So I'd advise against keeping those entries in the resolutions field for too long (ideally we should have a way to blacklist packages, which is something I think we will have in the 2.x branch, maybe 2.1).

@rarkins rarkins self-assigned this Mar 9, 2020
@rarkins rarkins added priority-3-medium Default priority, "should be done" but isn't prioritised ahead of others and removed priority-2-high Bugs impacting wide number of users or very important features labels Mar 9, 2020
@rarkins rarkins removed their assignment Mar 9, 2020
@hoodie

This comment was marked as off-topic.

Sign in to view
@rarkins rarkins added the status:requirements Full requirements are not yet known, so implementation should not be started label Jan 12, 2021
@rarkins rarkins added status:ready manager:npm package.json files (npm/yarn/pnpm) and removed status:requirements Full requirements are not yet known, so implementation should not be started labels Aug 8, 2021
@rarkins rarkins added status:requirements Full requirements are not yet known, so implementation should not be started and removed status:ready labels Nov 3, 2021
This was referenced May 29, 2022
Closed
Merged
@renovatebot renovatebot deleted a comment from olegkrivtsov Apr 21, 2023
@rarkins rarkins removed priority-3-medium Default priority, "should be done" but isn't prioritised ahead of others manager:npm package.json files (npm/yarn/pnpm) labels May 9, 2023
@renovatebot renovatebot locked and limited conversation to collaborators May 9, 2023
@rarkins rarkins converted this issue into discussion #22050 May 9, 2023

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

Assignees
No one assigned
Labels
status:requirements Full requirements are not yet known, so implementation should not be started type:feature Feature (new functionality)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@BYK @hoodie @arcanis @rarkins