Javascript dependencies handling


#1

Hello all,

I’ve seen a few PRs come in to bump dependencies in RPM packaging. At the same time we’re working on getting the vendorjs package in. I’m a bit hesitant about merging them because we want to get vendorjs merged by next week. Part of this to work on a more stable base but on the other side it’s also as simple as time. It’s limited and by ignoring them, I can work on making sure vendorjs is done.

However, there is one that is interesting. We’ve bumped diff to 4.0.1 but because we deduplicate and share versions we had to patch unidiff to allow 4.x. We do this in RPM packaging because the upstream author is not responding and this allows us to close a CVE.

When we move to the vendorjs bundle, we lose the ability to modify individual packages. It is my understanding that NPM will then vendor the old, vulnerable version (as well as including a newer fixed one).

My question is: how are we going to deal with this?


#2

We might be able to achieve the same hack by manipulating the package-lock.json/yarn.lock to include different sub-packages.