Comments (12)
ErikSchierboom
commented on July 17, 2024
2
prettier on the other hand reformats a bunch of stuff. Most things look harmless, but there are the custom blocks, e.g. ~~~~exercism/caution. These are reformatted to use three backticks.
We have a ruby script to fix those: https://github.com/exercism/problem-specifications/blob/f59cb2b5a38f4e0a1a65a121aac15839bcf7c6ab/.github/workflows/action-format.yml#L93C14-L93C14
from problem-specifications.
SleeplessByte
commented on July 17, 2024
1
#2283 (comment)
[...] lock file be stored with those tools rather than with the data?
No, we pull in specific versions of those tools, so that everyone interacting with this repo uses the same versions. That's by design because formatters, linters, etc. can have different output for different versions.
Because it's impossible to "package" the tool as a "binary" (we would need one including a node runtime for each architecture we run on, and it would be huge), the next best thing is to set up a package.json.
It is imperative we keep the pinning, but it is also true that they should periodically be updated, which is what you are asking for and that is the right way forward.
from problem-specifications.
SleeplessByte
commented on July 17, 2024
1
In package.json you can see the tools (top level dependencies) we use and need. This is the avj cli and the prettier cli. If only the lock has issues and not the top levels, then it's a supply chain issue.
Generally updating them across the patch level version works, but almost always the issues are red herrings because there is actually no attack vector.
See: https://overreacted.io/npm-audit-broken-by-design/
from problem-specifications.
senekor
commented on July 17, 2024
1
I took a stab at updating prettier and avj-cli. Looks like both of them have breaking changes that are relevant for us.
avj-cli throws some errors I do not understand. I looked at the json-schema documentation and it's much more complicated than I would've expected.
prettier on the other hand reformats a bunch of stuff. Most things look harmless, but there are the custom blocks, e.g. ~~~~exercism/caution. These are reformatted to use three backticks.
I stopped investigating at this point, it would be more efficient if someone can do these updates who is more experienced with these tools.
Edit: Updating prettier isn't really relevant to this issue specifically. prettier isn't flagged for a security vulnerability.
from problem-specifications.
senekor
commented on July 17, 2024
1
Sorry for closing his prematurely. ajv-cli 5.0 still has a security issue flagged. Latest release was three years ago :( I'll check if there is another maintained validator we can switch to.
from problem-specifications.
wolf99
commented on July 17, 2024
1
Well done @senekor !! π
from problem-specifications.
ErikSchierboom
commented on July 17, 2024
Because we use nodejs for several tools: https://github.com/exercism/problem-specifications/blob/main/package.json
from problem-specifications.
NobbZ
commented on July 17, 2024
Perhaps it would still make sense to set up a dependabot, renovate, or any other tool to keep versions up2date?
from problem-specifications.
wolf99
commented on July 17, 2024
Because we use nodejs for several tools: https://github.com/exercism/problem-specifications/blob/main/package.json
But this is a JSON file, so data, not executable code.
Unless I missed it there is no executable JS in this repo. If tools from outside this repo are used within this repo, then shouldn't the lock file be stored with those tools rather than with the data?
Apologies if this is a silly question, I know nothing about JS. Just trying to get the security alerts resolved! π
from problem-specifications.
wolf99
commented on July 17, 2024
Perhaps it would still make sense to set up a dependabot, renovate, or any other tool to keep versions up2date?
I think the existing dependabot would do this for us, except the lock file has several uses of ^, meaning that some dependencies are pinned to a specific major version. In the cases in question, those pinned major versions are now quite old.
I assume there was/is some functionality that depends on this pinning, but I don't know where or how to confirm if that is a correct guess, and if it is still relying on it today.
from problem-specifications.
wolf99
commented on July 17, 2024
Thanks for clarifying @SleeplessByte .
Then if updating the pinned dependencies is the way forward we'd need to understand what depends on those pinned versions.
So who knows which tools are depdent, and why, specifically, they are dependent on these pinned versions?
from problem-specifications.
senekor
commented on July 17, 2024
The fix in ajv-cli has been ready to merge for almost a year, the project seems pretty much abandoned.
from problem-specifications.
Related Issues (20)
- Matching brackets - unclear wording HOT 4
- Introduction text for βBottle Songβ contains incorrect phrasing: "One green bottles" HOT 10
- grains: test `description` values contain "raises an exception" HOT 4
- secret-handshake: "commands" `property` doesn't seem to fit its theme/story HOT 1
- Use consistent writting styles for Special blocks HOT 2
- ci: should use shellcheck
- fetch-configlet: script is outdated
- fetch-configlet: consider removing scripts from this repo
- saddle-points: directions seem mixed up
- ci: workflow doesn't run on push
- scale-generator: Accepted solution for "octatonic" scale seems incorrect. HOT 1
- Can there be negative Armstrong numbers? HOT 1
- Set up prettier for markdown files HOT 8
- `rational-numbers` missing test cases for "exponentiation of a given rational number to a real (floating-point) power" HOT 1
- "Hello World" description: is "so that it produces the string" misleading? HOT 2
- pig latin in C track HOT 2
- Exercise asks developer to write a function HOT 10
- Saddle Points: geq & leq HOT 2
- Variability of expected output in errors in Hamming exercise HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from problem-specifications.