App icon indicating copy to clipboard operation
App copied to clipboard

Published 20 hours ago verified publisher icon Expensify

[$250] Update @svgr/webpack to version 6.0.0

Open flodnv opened this issue 2 years ago • 28 comments

If you haven’t already, check out our contributing guidelines for onboarding and email [email protected] to request to join our Slack channel!

Problem

The package [email protected] has a security vulnerability introduced through @svgr/[email protected], fixed in [email protected]

$ npm list nth-check                                                                                                                                                                                                                                    [12:38:18]
[email protected] /Users/flo/Expensidev/App
├─┬ @storybook/[email protected]
│ └─┬ @storybook/[email protected]
│   └─┬ @storybook/[email protected]
│     ├─┬ @storybook/[email protected]
│     │ └─┬ [email protected]
│     │   └─┬ [email protected]
│     │     └─┬ [email protected]
│     │       └─┬ [email protected]
│     │         └── [email protected] deduped
│     └─┬ @storybook/[email protected]
│       └─┬ [email protected]
│         └─┬ [email protected]
│           └─┬ [email protected]
│             └─┬ [email protected]
│               └── [email protected] deduped
├─┬ @svgr/[email protected]
│ └─┬ @svgr/[email protected]
│   └─┬ [email protected]
│     └─┬ [email protected]
│       └── [email protected]
├─┬ [email protected]
│ └─┬ [email protected]
│   └─┬ [email protected]
│     └─┬ [email protected]
│       └── [email protected] deduped
└─┬ [email protected]
  └─┬ [email protected]
    └── [email protected]

Solution

Upgrade to @svgr/[email protected]

Expensify/Expensify Issue URL: https://github.com/Expensify/Expensify/issues/218325 Upwork URL: https://www.upwork.com/jobs/~01615065cda2c02b5a

View all open jobs on GitHub

flodnv avatar Oct 13 '22 11:10 flodnv

Triggered auto assignment to @flaviadefaria (External), see https://stackoverflow.com/c/expensify/questions/8582 for more details.

melvin-bot[bot] avatar Oct 13 '22 11:10 melvin-bot[bot]

Triggered auto assignment to Contributor-plus team member for initial proposal review - @Santhosh-Sellavel (External)

melvin-bot[bot] avatar Oct 13 '22 11:10 melvin-bot[bot]

Triggered auto assignment to @Gonals (External), see https://stackoverflow.com/c/expensify/questions/7972 for more details.

melvin-bot[bot] avatar Oct 13 '22 11:10 melvin-bot[bot]

Proposal

Solution: Upgrade version at package.json.

-  "@svgr/webpack": "^5.5.0",
+  "@svgr/webpack"  "^6.0.0",

hungvu193 avatar Oct 13 '22 11:10 hungvu193

I have a related one, going to take this from you @flaviadefaria.

trjExpensify avatar Oct 13 '22 12:10 trjExpensify

Upwork job here: https://www.upwork.com/jobs/~01615065cda2c02b5a

trjExpensify avatar Oct 13 '22 12:10 trjExpensify

Proposal

update from "@svgr/webpack": "^5.5.0" to "@svgr/webpack": "^6.0.0" in package.json https://github.com/Expensify/App/blob/8aec877a678d09600e110e0fc7bc597e342ef342/package.json#L138

BREAKING CHANGES

  1. Config format of SVGO changes & SVGR does not merge SVGO config
  2. Template has a new format
  3. core: @svgr/core now exposes { transform } instead of default export
  4. using --icon as latest arg now requires "--"

gadhiyamanan avatar Oct 13 '22 12:10 gadhiyamanan

When I raised the Same issue long back , it was not considered I even shared the issue in slack, I included other package also ( react-native-svg-transformer) it also uses svgo which is dependent on older version of nth check

saivineeth100 avatar Oct 13 '22 12:10 saivineeth100

FWIW, the problem statement is not the same.

flodnv avatar Oct 13 '22 13:10 flodnv

Heading is different , but its same When I posted about @svgr/webpack issue I was said that's not useful p/s Check comments here https://expensify.slack.com/archives/C01GTK53T8Q/p1660141537100609?thread_ts=1660141537.100609&cid=C01GTK53T8Q

saivineeth100 avatar Oct 13 '22 14:10 saivineeth100

As far as I can tell, that problem statement and the one proposed here are not the same. Am I wrong?

flodnv avatar Oct 13 '22 15:10 flodnv

Ok , what about This This has similar security vulnerability

saivineeth100 avatar Oct 14 '22 13:10 saivineeth100

Ok , what about This Screenshot_2022-10-14-19-14-47-415_com Slack

This has similar security vulnerability

saivineeth100 avatar Oct 14 '22 13:10 saivineeth100

@trjExpensify, @Gonals, @Santhosh-Sellavel Uh oh! This issue is overdue by 2 days. Don't forget to update your issues!

melvin-bot[bot] avatar Oct 17 '22 07:10 melvin-bot[bot]

@saivineeth100 according to package-lock.json and npm list nth-check`, this is not accurate:

$ npm list nth-check                                                                                                                                                                                                                                 
[email protected] /Users/flo/Expensidev/App
├─┬ @storybook/[email protected]
│ └─┬ @storybook/[email protected]
│   └─┬ @storybook/[email protected]
│     ├─┬ @storybook/[email protected]
│     │ └─┬ [email protected]
│     │   └─┬ [email protected]
│     │     └─┬ [email protected]
│     │       └─┬ [email protected]
│     │         └── [email protected] deduped
│     └─┬ @storybook/[email protected]
│       └─┬ [email protected]
│         └─┬ [email protected]
│           └─┬ [email protected]
│             └─┬ [email protected]
│               └── [email protected] deduped
├─┬ @svgr/[email protected]
│ └─┬ @svgr/[email protected]
│   └─┬ [email protected]
│     └─┬ [email protected]
│       └── [email protected]
├─┬ [email protected]
│ └─┬ [email protected]
│   └─┬ [email protected]
│     └─┬ [email protected]
│       └── [email protected] deduped
└─┬ [email protected]
  └─┬ [email protected]
    └── [email protected]

I would appreciate it if we could please keep this issue's scope to the problem/solution description in the issue.

flodnv avatar Oct 17 '22 12:10 flodnv

@Santhosh-Sellavel can you please review the proposals from @hungvu193 and @gadhiyamanan

flodnv avatar Oct 17 '22 12:10 flodnv

@hungvu193 @gadhiyamanan

Do we have any other migration changes expected as there are some breaking changes?

Can you elaborate, on changes, if there are some migration changes, and how it does handle?

if no changes are required, how/why the breaking changes don't affect our app?

Thanks!

Santhosh-Sellavel avatar Oct 17 '22 16:10 Santhosh-Sellavel

@Santhosh-Sellavel Since we are using @svgr/webpack as a loader for web and all these breaking changes for the command line tool, template, @svgr/core which we didn't use in our application, we only need to update the version in package.json.

hungvu193 avatar Oct 18 '22 03:10 hungvu193

@flodnv @Gonals

@hungvu193 proposal looks good to me.

C+ Reviewed. 👀 🎀 👀

Seems we need to update another library also, react-native-svg-transformer library's dependency libraries css select uses [email protected]

[email protected] /Users/santhoshkumar/Documents/App
├─┬ @storybook/[email protected]
│ └─┬ @storybook/[email protected]
│   └─┬ @storybook/[email protected]
│     ├─┬ @storybook/[email protected]
│     │ └─┬ [email protected]
│     │   └─┬ [email protected]
│     │     └─┬ [email protected]
│     │       └─┬ [email protected]
│     │         └── [email protected] deduped
│     └─┬ @storybook/[email protected]
│       └─┬ [email protected]
│         └─┬ [email protected]
│           └─┬ [email protected]
│             └─┬ [email protected]
│               └── [email protected] deduped
├─┬ @svgr/[email protected]
│ └─┬ @svgr/[email protected]
│   └─┬ [email protected]
│     └─┬ [email protected]
│       └── [email protected] deduped
├─┬ [email protected]
│ └─┬ [email protected]
│   └─┬ [email protected]
│     └─┬ [email protected]
│       └── [email protected] deduped
├─┬ [email protected]
│ └─┬ @svgr/[email protected]
│   └─┬ [email protected]
│     └─┬ [email protected]
│       └── [email protected]
└─┬ [email protected]
  └─┬ [email protected]
    └── [email protected]

Santhosh-Sellavel avatar Oct 18 '22 23:10 Santhosh-Sellavel

Cool, so once @Gonals gives this the all clear. I'll send the offer!

trjExpensify avatar Oct 19 '22 22:10 trjExpensify

Cool, just let me know then I'll apply.

hungvu193 avatar Oct 20 '22 06:10 hungvu193

@Gonals - bump on this proposal review?

trjExpensify avatar Oct 20 '22 19:10 trjExpensify

@trjExpensify, @Gonals, @Santhosh-Sellavel Uh oh! This issue is overdue by 2 days. Don't forget to update your issues!

melvin-bot[bot] avatar Oct 24 '22 07:10 melvin-bot[bot]

@trjExpensify, @Gonals, @Santhosh-Sellavel Whoops! This issue is 2 days overdue. Let's get this updated quick!

melvin-bot[bot] avatar Oct 24 '22 07:10 melvin-bot[bot]

@Gonals - bump on this proposal review?

LGTM!

Gonals avatar Oct 25 '22 07:10 Gonals

Cool, should I apply to upwork?

hungvu193 avatar Oct 25 '22 07:10 hungvu193

@Gonals What should we do about another library?

Seems we need to update another library also, react-native-svg-transformer library's dependency libraries css select uses [email protected]


[email protected] /Users/santhoshkumar/Documents/App

├─┬ @storybook/[email protected]

│ └─┬ @storybook/[email protected]

│   └─┬ @storybook/[email protected]

│     ├─┬ @storybook/[email protected]

│     │ └─┬ [email protected]

│     │   └─┬ [email protected]

│     │     └─┬ [email protected]

│     │       └─┬ [email protected]

│     │         └── [email protected] deduped

│     └─┬ @storybook/[email protected]

│       └─┬ [email protected]

│         └─┬ [email protected]

│           └─┬ [email protected]

│             └─┬ [email protected]

│               └── [email protected] deduped

├─┬ @svgr/[email protected]

│ └─┬ @svgr/[email protected]

│   └─┬ [email protected]

│     └─┬ [email protected]

│       └── [email protected] deduped

├─┬ [email protected]

│ └─┬ [email protected]

│   └─┬ [email protected]

│     └─┬ [email protected]

│       └── [email protected] deduped

├─┬ [email protected]

│ └─┬ @svgr/[email protected]

│   └─┬ [email protected]

│     └─┬ [email protected]

│       └── [email protected]

└─┬ [email protected]

  └─┬ [email protected]

    └── [email protected]

Santhosh-Sellavel avatar Oct 25 '22 11:10 Santhosh-Sellavel

@Gonals What should we do about another library?

Seems we need to update another library also, react-native-svg-transformer library's dependency libraries css select uses [email protected]

[email protected] /Users/santhoshkumar/Documents/App

├─┬ @storybook/[email protected]

│ └─┬ @storybook/[email protected]

│   └─┬ @storybook/[email protected]

│     ├─┬ @storybook/[email protected]

│     │ └─┬ [email protected]

│     │   └─┬ [email protected]

│     │     └─┬ [email protected]

│     │       └─┬ [email protected]

│     │         └── [email protected] deduped

│     └─┬ @storybook/[email protected]

│       └─┬ [email protected]

│         └─┬ [email protected]

│           └─┬ [email protected]

│             └─┬ [email protected]

│               └── [email protected] deduped

├─┬ @svgr/[email protected]

│ └─┬ @svgr/[email protected]

│   └─┬ [email protected]

│     └─┬ [email protected]

│       └── [email protected] deduped

├─┬ [email protected]

│ └─┬ [email protected]

│   └─┬ [email protected]

│     └─┬ [email protected]

│       └── [email protected] deduped

├─┬ [email protected]

│ └─┬ @svgr/[email protected]

│   └─┬ [email protected]

│     └─┬ [email protected]

│       └── [email protected]

└─┬ [email protected]

  └─┬ [email protected]

    └── [email protected]

I think we can update it as part of this. What do you think?

Gonals avatar Oct 26 '22 13:10 Gonals

@Santhosh-Sellavel - are we good with that? ^^

Cool, should I apply to upwork?

@hungvu193 - yes please. Looks like you haven't applied yet here.

trjExpensify avatar Oct 31 '22 12:10 trjExpensify

@trjExpensify I have applied (https://www.upwork.com/ab/proposals/1587067667179589633)

hungvu193 avatar Oct 31 '22 13:10 hungvu193