Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: bump d3-color to 3.1.0, add postinstall hook to fix export path #167

Merged
merged 1 commit into from
Oct 19, 2022
Merged

chore: bump d3-color to 3.1.0, add postinstall hook to fix export path #167

merged 1 commit into from
Oct 19, 2022

Conversation

mpopv
Copy link
Contributor

@mpopv mpopv commented Oct 19, 2022
edited
Loading

Overview

d3-color 1.x is affected by a CVE. It is patched only in 3.1.0 and the maintainer refuses to backport the fix, so we need to upgrade.

d3-color is a dependency of several of our dependencies that specify 1.x, so we need to force resolution to 3.1.0 in package.json. This is fine because 2 and 3 merely drop support for old environments that we already disallow and do not introduce any other relevant breaking changes.

The only caveat is that newer versions switch to using the ESM source code as the package default export and expose the UMD-bundled version with the package.json "exports" property, but this property is only recognized in yarn v2 and we need to use the UMD version. A quick fix to make the package compatible with yarn v1 is to add a postinstall hook that rewrites the "main" export path to the UMD "exports" path, which I've done here.

Tests

See below

Legal

This project is available under the Apache 2.0 License.

@mpopv mpopv requested a review from diehbria October 19, 2022 19:02
@mpopv mpopv changed the title chore: bump d3-color to 3.1.0 chore: bump d3-color to 3.1.0, add postinstall hook to fix export path Oct 19, 2022
@mpopv mpopv self-assigned this Oct 19, 2022
@mpopv mpopv added the dependencies Pull requests that update a dependency file label Oct 19, 2022
tjuranek
tjuranek approved these changes Oct 19, 2022
View reviewed changes
Copy link
Contributor

@tjuranek tjuranek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sweet fix, this is way more simple than I expected it to be.

@mpopv mpopv merged commit f71f4c2 into awslabs:main Oct 19, 2022
@mpopv mpopv mentioned this pull request Oct 21, 2022
Closed
mpopv added a commit to mpopv/synchro-charts that referenced this pull request Oct 21, 2022
@mpopv
Revert "chore: bump d3-color to 3.1.0, add postinstall hook to fix ex…
ae8220d 
…port path (awslabs#167)"

This reverts commit f71f4c2.
mpopv added a commit that referenced this pull request Oct 21, 2022
@mpopv
Release 6.0.3 (#170)
29fdffb 
* Revert "chore: bump d3-color to 3.1.0, add postinstall hook to fix export path (#167)"

This reverts commit f71f4c2.

* release version 6.0.3
@mpopv mpopv mentioned this pull request Oct 21, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tjuranek tjuranek tjuranek approved these changes

@diehbria diehbria Awaiting requested review from diehbria

@NorbertNader NorbertNader Awaiting requested review from NorbertNader

@tracy-french tracy-french Awaiting requested review from tracy-french

@boweihan boweihan Awaiting requested review from boweihan

Assignees

@mpopv mpopv

Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mpopv @tjuranek