-
-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: Replace update notifier with simplified deps #2033
Conversation
✅ Deploy Preview for nodemon ready!
To edit notification comments on pull requests, go to your Netlify site settings. |
this is good, but I'm wary your windows test didn't pass: https://github.com/alexbrazier/simple-update-notifier/runs/7033149767?check_suite_focus=true |
@remy thanks for looking into it! I actually force pushed that update as the Edit: Looks like I was looking at the wrong build you referenced - that failure was an old one caused by the single quotes that Windows wasn't liking and has since been fixed |
Seems it is not compatible with node 8.10.0 (minimum required version for nodemon) because |
Thanks @zorn-v, I've now pushed an update to fix that |
@alexbrazier worth wrapping this in a try/catch - https://github.com/alexbrazier/simple-update-notifier/blob/master/src/getDistVersion.ts#L13= - I can't remember what happens if this fails inside of the deep event handler - might be worth injecting some bad code to see how it behaves. |
Sure, something like this? https://github.com/alexbrazier/simple-update-notifier/pull/2/files |
@alexbrazier have you thought about using semver module instead of implementing your own version check? |
I was originally trying to keep it simple but now the version check has become more complicated than expected and still not perfect so happy to swap it out for |
I'm letting @alexbrazier have some time to settle the code base. It's not a straight up simple change and a few extra days to help iron out issues will be worthwhile in the long run. Plus, the reality of the vuln in nodemon has near zero impact. Of course it's not zero, but there's no path to exploit the actual vuln through nodemon (partly because it's fired outside of calling your code - which would take advantage of the vuln, and partly because nodemon in a lot of cases forks the sub process, so it never has access to any of the nodemon code - and thusly the vuln on The issue isn't being ignored, @alexbrazier has kindly and valiantly taken up the mantle to solve this dependency once and for all. |
semver 7.3.7 has "engines": {
"node": ">=10"
} There is |
Nothing when installing with npm, but seems there is an issue with yarn |
You can use |
package-json
to >=8.0.0 for vulnerability ingot
>= 12.0.0, < 12.1.0, < 11.8.5 #2028got
(CVE-2022-33987)update-notifier
withsimple-update-notifier
which does the same thing but has one dependency (semver
) rather than severalupdate-notifier
Demo