deps: Bump serve-static to latest, 1.16.2 #5889
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
The CI failure is only in suite |
Taking this upgrade because we learned from dependabot that it fixes a security issue: zulip#5887 The issue is in a dev-only indirect dependency, and even our development tools *probably* don't trigger it. But I can't rule out that they might. The yarn.lock diff from dependabot is a bit messy, though, so here's me doing the same upgrade directly. --- Because this is an indirect dependency, `yarn upgrade serve-static` just does nothing. (Seems like a bug / misfeature in Yarn.) And I don't want to do a general `yarn upgrade` in this legacy codebase right now -- that would balloon into a larger task. So, here's a fun technique to make the upgrade in a surgical way: $ perl -i -0pe 's{^serve-static@.*?\n\K.*?^$} { version "1.16.2"\n}sm ' yarn.lock $ yarn That deletes the "version", "resolved", and other fields in the lockfile's resolution of the `serve-static` package, replacing them with just a "version" line pointing at the desired version. Then rerunning `yarn` (aka `yarn install`) starts from that version when filling back in the rest of the details.
gnprice
force-pushed
the
pr-deps-serve-static
branch
from
9effe23 to
1d73509
Compare
|
Thanks for dealing with this! LGTM, merging. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Taking this upgrade because we learned from dependabot that it fixes a security issue:
#5887
The issue is in a dev-only indirect dependency, and even our development tools probably don't trigger it. But I can't rule out that they might.
The yarn.lock diff from dependabot is a bit messy, though, so here's me doing the same upgrade directly.
Because this is an indirect dependency,
yarn upgrade serve-staticjust does nothing. (Seems like a bug / misfeature in Yarn.)And I don't want to do a general
yarn upgradein this legacy codebase right now -- that would balloon into a larger task.So, here's a fun technique to make the upgrade in a surgical way:
That deletes the "version", "resolved", and other fields in the lockfile's resolution of the
serve-staticpackage, replacing them with just a "version" line pointing at the desired version.Then rerunning
yarn(akayarn install) starts from that version when filling back in the rest of the details.