Closed Bug 1605231 Opened 2 years ago Closed 2 years ago

update Yarn to 1.21.1 to close package.json file overwrite vulnerability

Categories

(DevTools :: General, defect)

defect
Not set
normal

Tracking

(firefox73 fixed)

RESOLVED FIXED
Firefox 73
Tracking Status
firefox73 --- fixed

People

(Reporter: dmosedale, Assigned: jlast)

References

Details

Attachments

(2 files)

The top-level package.json has yarn at version "^1.16.0". This has been fixed in yarn 1.21.1, and should be upgraded.

At the various least, this fix should pin the new version to 1.21.1, rather than using a non-pinned semantic version starting with a ^. This might also be a good time to move yarn from a dependency to a devDependency as per bug 1598445.

Assignee: nobody → jlaster
Status: NEW → ASSIGNED

Mark, I'm guessing this is going to need to have the tarballs updated for the testers?

Flags: needinfo?(standard8)
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 73

(In reply to Dan Mosedale (:dmose, :dmosedale) from comment #5)

Mark, I'm guessing this is going to need to have the tarballs updated for the testers?

Yes, ideally that should happen before the patch lands (to avoid the builders pulling from npm repos), but I'll do that now.

Flags: needinfo?(standard8)

So typically, I need new upload credentials, I've requested, will try and get it moved forward...

Blocks: 1598445

Thanks; sorry for not realizing sooner that this would be needed.

Pushed by mbanner@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/ece588f50535
Update bundled node_modules for the builders to sync with the yarn update. r=dmose
Flags: needinfo?(jlaster)
You need to log in before you can comment on or make changes to this bug.