Upgrade dependencies' major versions

Question

Upgrade dependencies' major versions

BHANU2705 opened this issue 2 years ago · 7 comments

Prerequisites

[ X] Put an X between the brackets on this line if you have done all of the following:
- Reproduced the problem in Safe Mode: https://flight-manual.atom.io/hacking-atom/sections/debugging/#using-safe-mode
- Followed all applicable steps in the debugging guide: https://flight-manual.atom.io/hacking-atom/sections/debugging/
- Checked the FAQs on the message board for common solutions: https://discuss.atom.io/c/faq
- Checked that your issue isn't already filed: https://github.com/issues?utf8=✓&q=is%3Aissue+user%3Aatom
- Checked that there is not already an Atom package that provides the described functionality: https://atom.io/packages

Description

The dependencies (node-addon-api & prebuild-install) have got their major version upgrades.
The current version are as follows:

node-addon-api: 4.3.0
prebuild-install: 7.0.0

These two dependencies bring many transitive dependencies which have security vulnerabilities and Whiesource keeps reporting them and the consumers are unable to fix it properly.

Hence, requesting you to upgrade the keytar's dependencies' major version and release a new version of keytar - so that many of the security vulnerabilities get fixed.

Answer 1 · 2022-01-29T02:07:28.000Z

Upgrading to the latest prebuild-install (7.0.1 as of today) will pull in the version of simple-get containing the fix for CVE-2022-0355.

Answer 2 · 2022-01-31T20:05:41.000Z

Also, shouldn't prebuild-install be a dev dep?

Answer 3 · 2022-02-01T16:55:48.000Z

All those dependencies have been upgraded. I'll test this tomorrow with GitHub Desktop and make a release if everything goes well. Sorry for the delay! /cc @joaomoreno

Answer 4 · 2022-02-01T17:04:38.000Z

Also, shouldn't prebuild-install be a dev dep?

@sergiou87 thoughts on this? Only being used to install prior to building

Answer 5 · 2022-02-01T17:13:29.000Z

@aruniverse check this #443 (comment)

I actually did that initially, but it needs to be a runtime dep so it pulls all prebuilt binaries when node-keytar is added as a dependency by other projects 😅

Answer 6 · 2022-02-01T17:16:58.000Z

I actually did that initially, but it needs to be a runtime dep so it pulls all prebuilt binaries when node-keytar is added as a dependency by other projects 😅

Ah sorry, didnt look at the thread, just the diff. Should it then be a peer dep? @sergiou87

Answer 7 · 2022-02-02T08:36:26.000Z

All those dependencies have been upgraded. I'll test this tomorrow with GitHub Desktop and make a release if everything goes well. Sorry for the delay! /cc @joaomoreno

Fantastic, thanks! I'll update the dependencies to keytar upstream, once you release a new version.