Closed Bug 1605231 Opened 4 years ago Closed 4 years ago

update Yarn to 1.21.1 to close package.json file overwrite vulnerability

Categories

(DevTools :: General, defect)

Product:
DevTools
Component:
General
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(firefox73 fixed)

Status:
RESOLVED FIXED
Milestone:
Firefox 73
Tracking Flags:
Tracking Status
firefox73 --- fixed

People

(Reporter: dmosedale, Assigned: jlast)

References

Details

Attachments

(2 files)

Bug 1605231 - update Yarn to 1.21.1. r=dmose
47 bytes, text/x-phabricator-request
Details | Review
Bug 1605231 - Update bundled node_modules for the builders to sync with the yarn update. r?Mossop
47 bytes, text/x-phabricator-request
Details | Review

The top-level package.json has yarn at version "^1.16.0". This has been fixed in yarn 1.21.1, and should be upgraded.

At the various least, this fix should pin the new version to 1.21.1, rather than using a non-pinned semantic version starting with a ^. This might also be a good time to move yarn from a dependency to a devDependency as per bug 1598445.

Assignee: nobody → jlaster
Status: NEW → ASSIGNED

Mark, I'm guessing this is going to need to have the tarballs updated for the testers?

Flags: needinfo?(standard8)

https://hg.mozilla.org/mozilla-central/rev/3c3fc5f3f7e7

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox73: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → Firefox 73

(In reply to Dan Mosedale (:dmose, :dmosedale) from comment #5)

Mark, I'm guessing this is going to need to have the tarballs updated for the testers?

Yes, ideally that should happen before the patch lands (to avoid the builders pulling from npm repos), but I'll do that now.

Flags: needinfo?(standard8)

So typically, I need new upload credentials, I've requested, will try and get it moved forward...

Blocks: 1598445

Thanks; sorry for not realizing sooner that this would be needed.

Pushed by mbanner@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/ece588f50535
Update bundled node_modules for the builders to sync with the yarn update. r=dmose
Flags: needinfo?(jlaster)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: