security: update 'decompress' dependency

The following commit updates the `decompress` dependency to benefit from the security vulnerability fix. The `yarn.lock` was updated to resolve the security advisory. Signed-off-by: vince-fugnitto <vincent.fugnitto@ericsson.com>
eclipse-theia · Aug 3, 2020 · e553543 · e553543
1 parent fedb5f3
commit e553543
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 5 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,11 @@
 
 ## v1.5.0
 
+- [security] updated version range of `decompress` to fix known security vulnerability [#8924](https://github.com/eclipse-theia/theia/pull/8294)
+  - with an updated version range, downstream applications have the possibility to:
+    - upgrade their `decompress` version (to benefit from the fix in `4.2.1`) by performing `yarn upgrade decompress` (which fixes the security flaw).
+    - use an earlier vulnerable version of `decompress` (`4.2.0`) for performance reasons by using `yarn resolutions`.
+
 <a name="breaking_changes_1.5.0">[Breaking Changes:](#breaking_changes_1.5.0)</a>
 
 - [output] `OutputWidget#setInput` has been removed. The _Output_ view automatically shows the channel when calling `OutputChannel#show`. Moved the `OutputCommands` namespace from the `output-contribution` to its dedicated `output-commands` module to overcome a DI cycle. [#8243](https://github.com/eclipse-theia/theia/pull/8243)

diff --git a/packages/plugin-ext/package.json b/packages/plugin-ext/package.json
@@ -27,7 +27,7 @@
     "@types/mime": "^2.0.1",
     "@types/serve-static": "^1.13.3",
     "connect": "^3.7.0",
-    "decompress": "4.2.0",
+    "decompress": "^4.2.0",
     "escape-html": "^1.0.3",
     "filenamify": "^4.1.0",
     "jsonc-parser": "^2.0.2",

diff --git a/yarn.lock b/yarn.lock
@@ -4846,10 +4846,10 @@ decompress-unzip@^4.0.1:
     pify "^2.3.0"
     yauzl "^2.4.2"
 
-decompress@4.2.0:
-  version "4.2.0"
-  resolved "https://registry.yarnpkg.com/decompress/-/decompress-4.2.0.tgz#7aedd85427e5a92dacfe55674a7c505e96d01f9d"
-  integrity sha1-eu3YVCflqS2s/lVnSnxQXpbQH50=
+decompress@^4.2.0:
+  version "4.2.1"
+  resolved "https://registry.yarnpkg.com/decompress/-/decompress-4.2.1.tgz#007f55cc6a62c055afa37c07eb6a4ee1b773f118"
+  integrity sha512-e48kc2IjU+2Zw8cTb6VZcJQ3lgVbS4uuB1TfCHbiZIP/haNXm+SVyhu+87jts5/3ROpd82GSVCoNs/z8l4ZOaQ==
   dependencies:
     decompress-tar "^4.0.0"
     decompress-tarbz2 "^4.0.0"