webpack-ext-reloader icon indicating copy to clipboard operation
webpack-ext-reloader copied to clipboard
verified publisher icon SimplifyJobs

fix: Replace unmaintained useragent with ua-parser-js

Open NERDHEAD-lab opened this issue 5 months ago • 3 comments

Checklist

  • [x] I ran the linting and formatting tools (ESLint and Prettier)

Closes #[ISSUE_NUMBER]

Overview

This PR addresses a reported tmp package security vulnerability by replacing the unmaintained useragent library with ua-parser-js.

Changes

  • Removal of useragent library:
    • Uninstalled useragent and @types/useragent packages.
    • Cleaned up related dependencies in package.json and package-lock.json.
  • Introduction of ua-parser-js library:
    • Installed ua-parser-js and @types/ua-parser-js packages.
  • Codebase Updates:
    • src/hot-reload/HotReloaderServer.ts: Updated user agent parsing logic to use UAParser instead of useragent.
    • src/hot-reload/SignEmitter.ts: Simplified the SignEmitter constructor to accept only necessary browser information (name, version) from the UAParser.IResult object, and adjusted related logic.
    • specs/SignEmitter.specs.ts: Completely refactored the test suite to align with ua-parser-js types and the updated SignEmitter constructor signature, moving away from useragent dependencies.
  • Type Definition File Update:
    • The type definition in typings/webpack-ext-reloader.d.ts has been updated to a more structured format. This change was automatically applied during dependency updates and maintains backward compatibility for the public API. [377cd3f]
      • Maybe relevant to issue #583

Motivation

An npm audit report identified a security vulnerability in the tmp package, a dependency of useragent. As useragent is no longer actively maintained, replacing it with a modern and actively maintained alternative like ua-parser-js was necessary to resolve this issue and enhance the project's security posture.

Impact

  • Backward Compatibility: The SignEmitter class is an internal implementation detail of the library, so there are no API changes for external users. Backward compatibility is maintained.
  • Security: The security vulnerability related to the tmp package has been resolved.

Testing

The changes have been successfully built and tested using the following commands:

  • npm run build
  • npm run test
  • npm run lint
  • npm run format

Summary by cubic

Replaced the unmaintained useragent library with ua-parser-js to fix a security vulnerability and update user agent parsing logic.

  • Dependencies

  • Removed useragent and @types/useragent.

  • Added ua-parser-js and @types/ua-parser-js.

  • Refactors

  • Updated HotReloaderServer and SignEmitter to use ua-parser-js for browser info.

  • Refactored related tests and type definitions for compatibility.

NERDHEAD-lab avatar Aug 08 '25 16:08 NERDHEAD-lab