update Yarn to 1.21.1 to close package.json file overwrite vulnerability
Categories
(DevTools :: General, defect)
Tracking
(firefox73 fixed)
Tracking | Status | |
---|---|---|
firefox73 | --- | fixed |
People
(Reporter: dmosedale, Assigned: jlast)
References
Details
Attachments
(2 files)
The top-level package.json has yarn at version "^1.16.0". This has been fixed in yarn 1.21.1, and should be upgraded.
At the various least, this fix should pin the new version to 1.21.1, rather than using a non-pinned semantic version starting with a ^. This might also be a good time to move yarn from a dependency to a devDependency as per bug 1598445.
Assignee | ||
Comment 1•4 years ago
|
||
Updated•4 years ago
|
Pushed by jlaster@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/00af692eccde update Yarn to 1.21.1. r=dmose
Comment 3•4 years ago
|
||
Backed out for Lint failure.
Failure log: https://treeherder.mozilla.org/logviewer.html#?job_id=281994537&repo=autoland
Backout: https://hg.mozilla.org/integration/autoland/rev/d26936e3f756d28a3f480d902f3fb8af7283835e
Pushed by jlaster@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/3c3fc5f3f7e7 update Yarn to 1.21.1. r=dmose
Reporter | ||
Comment 5•4 years ago
|
||
Mark, I'm guessing this is going to need to have the tarballs updated for the testers?
Comment 6•4 years ago
|
||
bugherder |
Comment 7•4 years ago
|
||
(In reply to Dan Mosedale (:dmose, :dmosedale) from comment #5)
Mark, I'm guessing this is going to need to have the tarballs updated for the testers?
Yes, ideally that should happen before the patch lands (to avoid the builders pulling from npm repos), but I'll do that now.
Comment 8•4 years ago
|
||
So typically, I need new upload credentials, I've requested, will try and get it moved forward...
Reporter | ||
Comment 9•4 years ago
|
||
Thanks; sorry for not realizing sooner that this would be needed.
Comment 10•4 years ago
|
||
Comment 11•4 years ago
|
||
Pushed by mbanner@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/ece588f50535 Update bundled node_modules for the builders to sync with the yarn update. r=dmose
Comment 12•4 years ago
|
||
bugherder |
Updated•2 years ago
|
Description
•