Bump up babel-cli version to fix security alert #3121

ackintosh · 2019-06-08T07:29:36Z

PR checklist

Read the contribution guidelines.
Ran the shell script under ./bin/ to update Petstore sample so that CIs can verify the change. (For instance, only need to run ./bin/{LANG}-petstore.sh, ./bin/openapi3/{LANG}-petstore.sh if updating the {LANG} (e.g. php, ruby, python, etc) code generator or {LANG} client's mustache templates). Windows batch files can be found in .\bin\windows\. If contributing template-only or documentation-only changes which will change sample output, be sure to build the project first.
Filed the PR against the correct branch: master, 4.1.x, 5.0.x. Default: master.
Copied the technical committee to review the pull request if your PR is targeting a particular programming language.

Description of the PR

Updated the babel-cli version to fix the alert below.

Regular Expression Denial of Service
https://www.npmjs.com/advisories/786

$ cd samples/client/petstore/javascript-flowtyped
$ npm audit

                       === npm audit security report ===

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ braces                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.3.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ babel-cli [dev]                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ babel-cli > chokidar > anymatch > micromatch > braces        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/786                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 low severity vulnerability in 6034 scanned packages
  1 vulnerability requires manual review. See the full report for details.

Used npx cli tool to know how we should update the package.json and .babelrc.

$ cd samples/client/petstore/javascript-flowtyped
$ npx babel-upgrade --write


🙌  Thanks for trying out https://github.com/babel/babel-upgrade !

Updating closest package.json dependencies
Index: /Users/akihito1/src/github.com/ackintosh/openapi-generator-1/samples/client/petstore/javascript-flowtyped/package.json
===================================================================
--- /Users/akihito1/src/github.com/ackintosh/openapi-generator-1/samples/client/petstore/javascript-flowtyped/package.json      Before Upgrade
+++ /Users/akihito1/src/github.com/ackintosh/openapi-generator-1/samples/client/petstore/javascript-flowtyped/package.json      After Upgrade
@@ -21,12 +21,13 @@
   "dependencies": {
     "portable-fetch": "^3.0.0"
   },
   "devDependencies": {
-    "babel-cli": "^6.26.0",
-    "babel-core": "^6.26.3",
-    "babel-plugin-transform-flow-strip-types": "^6.22.0",
+    "@babel/cli": "^7.0.0",
+    "@babel/core": "^7.0.0",
+    "@babel/plugin-transform-flow-strip-types": "^7.0.0",
     "babel-preset-react-app": "^3.1.1",
     "flow-copy-source": "^1.3.0",
-    "rimraf": "^2.6.2"
+    "rimraf": "^2.6.2",
+    "@babel/preset-flow": "^7.0.0"
   }
 }
\ No newline at end of file


Updating .babelrc config at .babelrc
Index: .babelrc
===================================================================
--- .babelrc    Before Upgrade
+++ .babelrc    After Upgrade
@@ -1,8 +1,9 @@
 {
   "presets": [
-    "react-app"
+    "react-app",
+    "@babel/preset-flow"
   ],
   "plugins": [
-    "transform-flow-strip-types"
+    "@babel/plugin-transform-flow-strip-types"
   ]
 }
\ No newline at end of file

bin/javascript-flowtyped-petstore.sh

…_ENV`

ackintosh · 2019-06-08T07:31:10Z

cc: @jaypea @CodeNinjai @frol @cliffano

wing328

LGTM

@Sunn

…to inline-resolver * 'master' of github.com:OpenAPITools/openapi-generator: (213 commits) Idiomatic Rust returns for Error conversions (OpenAPITools#2812) Add API timeout handling (OpenAPITools#3078) Import inner items for map (OpenAPITools#3123) update core team in pom.xml (OpenAPITools#3126) [gradle] Document consuming via gradle plugin portal (OpenAPITools#3125) Bump up babel-cli version to fix security alert (OpenAPITools#3121) [C++] [cpprestsdk] Add examples and test for cpprestsdk (OpenAPITools#3109) Add enum support to `rust` and skip none option serialization in clients (OpenAPITools#2244) Add/update new core team member: etherealjoy (OpenAPITools#3116) Gradle sample on travis (OpenAPITools#3114) [typescript-fetch] add bearer token support (OpenAPITools#3097) Add Q_DECLARE_METATYPE to the generated models and remove ref in signals (OpenAPITools#3091) [Java][okhttp-gson] Update dependencies (OpenAPITools#3103) Link query parameter to model object (OpenAPITools#2710) scala-play-server: fix enum names for reserved words (OpenAPITools#3080) Add @Sunn to openapi generator core team (OpenAPITools#3105) fix NPE in go generator (OpenAPITools#3104) scala-play-server: fix API doc url (OpenAPITools#3096) [maven-plugin] fix strictSpec parameter without alias (OpenAPITools#3095) Ruby: Avoid double escaping path items (OpenAPITools#3093) ... # Conflicts: # modules/openapi-generator/src/main/java/org/openapitools/codegen/InlineModelResolver.java # modules/openapi-generator/src/test/java/org/openapitools/codegen/InlineModelResolverTest.java

* master: (25 commits) Add #send to ruby reserved word list (OpenAPITools#3146) Merge java8 doc for spring (OpenAPITools#3122) added api key authentication to aspnetcore 2.1 (OpenAPITools#3089) Add "yue9944882" to Perl technical committee (OpenAPITools#3194) [csharp-netcore]: Adding http response details in api_docs and making example snippet compilable (OpenAPITools#3128) generate travis configuration (OpenAPITools#3193) Perl: Basic bearer auth support (OpenAPITools#3192) [R] feat(r) : Alternate PR for serialization fixes along with WithHttpInfo method enhancement (OpenAPITools#3099) improve release checkout script (OpenAPITools#3184) Prepare 4.0.3-SNAPSHOT (OpenAPITools#3185) 4.0.2 release (OpenAPITools#3181) Fix rubocop obsolescence (OpenAPITools#3175) Add Fuse to the company list (OpenAPITools#3164) Idiomatic Rust returns for Error conversions (OpenAPITools#2812) Add API timeout handling (OpenAPITools#3078) Import inner items for map (OpenAPITools#3123) update core team in pom.xml (OpenAPITools#3126) [gradle] Document consuming via gradle plugin portal (OpenAPITools#3125) Bump up babel-cli version to fix security alert (OpenAPITools#3121) [C++] [cpprestsdk] Add examples and test for cpprestsdk (OpenAPITools#3109) ...

ackintosh added 4 commits June 8, 2019 16:07

Bump up babel version

1370c4a

Update samples

18a27a8

bin/javascript-flowtyped-petstore.sh

The dependency babel-preset-react-app requires NODE_ENV or `BABEL…

7e86e58

…_ENV`

Run env BABEL_ENV=development npm run build to update the samples

d699113

ackintosh added Client: JavaScript/Node.js Issue: Security labels Jun 8, 2019

ackintosh added this to the 4.0.2 milestone Jun 8, 2019

wing328 approved these changes Jun 8, 2019

View reviewed changes

wing328 merged commit 2a5a272 into OpenAPITools:master Jun 8, 2019

ackintosh deleted the fix-security-alert branch June 9, 2019 02:57

freemanchen mentioned this pull request Jul 18, 2019

Babel CLI vulnerability in Javascript ES6 generator #3393

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump up babel-cli version to fix security alert #3121

Bump up babel-cli version to fix security alert #3121

ackintosh commented Jun 8, 2019 •

edited

Loading

ackintosh commented Jun 8, 2019

wing328 left a comment

Bump up babel-cli version to fix security alert #3121

Bump up babel-cli version to fix security alert #3121

Conversation

ackintosh commented Jun 8, 2019 • edited Loading

PR checklist

Description of the PR

ackintosh commented Jun 8, 2019

wing328 left a comment

Choose a reason for hiding this comment

ackintosh commented Jun 8, 2019 •

edited

Loading