From e75f1456032ef1ef496ab262a5ad8d035f507981 Mon Sep 17 00:00:00 2001 From: Loran Mutafov Date: Mon, 16 Dec 2019 12:01:43 +0000 Subject: [PATCH 1/2] Fix 3rd party dependency on merge-recursive The short-id library has not been updated in 7 years and has a dependency on the merge-recursive library, which GitHub just issued a high-severity security warning for. To fix the security vulnerability on our end we went with a similar library called shortid (without the dash), which has been more recently updated and does not have a subdependency on merge-recursive. Its only dependency is the library nanoid, which itself has no dependencies. --- packages/core/package.json | 2 +- packages/core/rollup.config.js | 2 +- .../SuccessStoryCardDesktop.js | 2 +- .../SuccessStoryCardMobile.js | 2 +- .../core/src/components/Carousel/Carousel.js | 2 +- .../src/components/GridLayout/GridLayout.js | 2 +- .../MobileCarousel/MobileCarousel.js | 2 +- yarn.lock | 47 ++++--------------- 8 files changed, 17 insertions(+), 44 deletions(-) diff --git a/packages/core/package.json b/packages/core/package.json index 18adf5609..6d20fe6e0 100644 --- a/packages/core/package.json +++ b/packages/core/package.json @@ -43,7 +43,7 @@ "react-on-visible": "^1.5.0", "react-portal": "^4.1.3", "react-transition-group": "1.x", - "short-id": "^0.1.0-1", + "shortid": "^2.2.15", "subscribe-ui-event": "^1.1.1", "warning": "^3.0.0" }, diff --git a/packages/core/rollup.config.js b/packages/core/rollup.config.js index 7b37e84ef..176aadcf5 100644 --- a/packages/core/rollup.config.js +++ b/packages/core/rollup.config.js @@ -98,7 +98,7 @@ export default { external: [ '@appearhere/react-input-range', '@appearhere/react-stickynode', - 'short-id', + 'shortid', 'nuka-carousel', 'classnames', 'classnames/bind', diff --git a/packages/core/src/components/Cards/SuccessStoryCard/SuccessStoryCardDesktop.js b/packages/core/src/components/Cards/SuccessStoryCard/SuccessStoryCardDesktop.js index 0803ca6dc..7ae0a2870 100644 --- a/packages/core/src/components/Cards/SuccessStoryCard/SuccessStoryCardDesktop.js +++ b/packages/core/src/components/Cards/SuccessStoryCard/SuccessStoryCardDesktop.js @@ -1,7 +1,7 @@ import React from 'react'; import PropTypes from 'prop-types'; import cx from 'classnames'; -import shortid from 'short-id'; +import shortid from 'shortid'; import FittedImage from '../../FittedImage/FittedImage'; import IconLink from '../../IconLink/IconLink'; import RemoveOrphans from '../../RemoveOrphans/RemoveOrphans'; diff --git a/packages/core/src/components/Cards/SuccessStoryCard/SuccessStoryCardMobile.js b/packages/core/src/components/Cards/SuccessStoryCard/SuccessStoryCardMobile.js index 3454eb1ad..f9627c522 100644 --- a/packages/core/src/components/Cards/SuccessStoryCard/SuccessStoryCardMobile.js +++ b/packages/core/src/components/Cards/SuccessStoryCard/SuccessStoryCardMobile.js @@ -1,6 +1,6 @@ import React from 'react'; import PropTypes from 'prop-types'; -import shortid from 'short-id'; +import shortid from 'shortid'; import FittedImage from '../../FittedImage/FittedImage'; import Icon from '../../Icon/Icon'; import RemoveOrphans from '../../RemoveOrphans/RemoveOrphans'; diff --git a/packages/core/src/components/Carousel/Carousel.js b/packages/core/src/components/Carousel/Carousel.js index 24698916c..0ca2d46b3 100644 --- a/packages/core/src/components/Carousel/Carousel.js +++ b/packages/core/src/components/Carousel/Carousel.js @@ -2,7 +2,7 @@ import PropTypes from 'prop-types'; import React, { useState, useEffect } from 'react'; import cx from 'classnames'; import NukaCarousel from 'nuka-carousel'; -import shortid from 'short-id'; +import shortid from 'shortid'; import Icon from '../Icon/Icon'; import BtnContainer from '../BtnContainer/BtnContainer'; import ScreenReadable from '../ScreenReadable/ScreenReadable'; diff --git a/packages/core/src/components/GridLayout/GridLayout.js b/packages/core/src/components/GridLayout/GridLayout.js index ad3401b6a..51a4cb6db 100644 --- a/packages/core/src/components/GridLayout/GridLayout.js +++ b/packages/core/src/components/GridLayout/GridLayout.js @@ -1,7 +1,7 @@ import React, { Component } from 'react'; import css from './GridLayout.css'; import PropTypes from 'prop-types'; -import shortid from 'short-id'; +import shortid from 'shortid'; export default class GridLayout extends Component { static propTypes = { diff --git a/packages/core/src/components/MobileCarousel/MobileCarousel.js b/packages/core/src/components/MobileCarousel/MobileCarousel.js index 0df155371..2fb2be178 100644 --- a/packages/core/src/components/MobileCarousel/MobileCarousel.js +++ b/packages/core/src/components/MobileCarousel/MobileCarousel.js @@ -1,6 +1,6 @@ import PropTypes from 'prop-types'; import React, { Children } from 'react'; -import shortid from 'short-id'; +import shortid from 'shortid'; import css from './MobileCarousel.css'; diff --git a/yarn.lock b/yarn.lock index 626b017b7..998914560 100644 --- a/yarn.lock +++ b/yarn.lock @@ -2963,11 +2963,6 @@ assert@^1.1.1: dependencies: util "0.10.3" -assertion-error@1.0.0: - version "1.0.0" - resolved "https://registry.yarnpkg.com/assertion-error/-/assertion-error-1.0.0.tgz#c7f85438fdd466bc7ca16ab90c81513797a5d23b" - integrity sha1-x/hUOP3UZrx8oWq5DIFRN5el0js= - assertion-error@^1.1.0: version "1.1.0" resolved "https://registry.yarnpkg.com/assertion-error/-/assertion-error-1.1.0.tgz#e60b6b0e8f301bd97e5375215bda406c85118c0b" @@ -10776,11 +10771,6 @@ merge-descriptors@1.0.1: version "1.0.1" resolved "https://registry.yarnpkg.com/merge-descriptors/-/merge-descriptors-1.0.1.tgz#b00aaa556dd8b44568150ec9d1b953f3f90cbb61" -merge-recursive@0.0.3: - version "0.0.3" - resolved "https://registry.yarnpkg.com/merge-recursive/-/merge-recursive-0.0.3.tgz#de7901efcaecc906d8cab2ad1e9c470f5a3dae84" - integrity sha1-3nkB78rsyQbYyrKtHpxHD1o9roQ= - merge-stream@^1.0.1: version "1.0.1" resolved "https://registry.yarnpkg.com/merge-stream/-/merge-stream-1.0.1.tgz#4041202d508a342ba00174008df0c251b8c135e1" @@ -11158,6 +11148,11 @@ nan@^2.3.0: version "2.10.0" resolved "https://registry.yarnpkg.com/nan/-/nan-2.10.0.tgz#96d0cd610ebd58d4b4de9cc0c6828cda99c7548f" +nanoid@^2.1.0: + version "2.1.8" + resolved "https://registry.yarnpkg.com/nanoid/-/nanoid-2.1.8.tgz#2dbb0224231b246e3b4c819de7bfea6384dabf08" + integrity sha512-g1z+n5s26w0TGKh7gjn7HCqurNKMZWzH08elXzh/gM/csQHd/UqDV6uxMghQYg9IvqRPm1QpeMk50YMofHvEjQ== + nanomatch@^1.2.9: version "1.2.9" resolved "https://registry.yarnpkg.com/nanomatch/-/nanomatch-1.2.9.tgz#879f7150cb2dab7a471259066c104eee6e0fa7c2" @@ -11531,13 +11526,6 @@ nwmatcher@^1.4.1, nwmatcher@^1.4.3: version "1.4.4" resolved "https://registry.yarnpkg.com/nwmatcher/-/nwmatcher-1.4.4.tgz#2285631f34a95f0d0395cd900c96ed39b58f346e" -oath@latest: - version "1.0.0" - resolved "https://registry.yarnpkg.com/oath/-/oath-1.0.0.tgz#2f4e1f7797b903a78b243527dc68245b0aeb0d58" - integrity sha1-L04fd5e5A6eLJDUn3GgkWwrrDVg= - dependencies: - simple-assert "~1.0.0" - oauth-sign@~0.8.1, oauth-sign@~0.8.2: version "0.8.2" resolved "https://registry.yarnpkg.com/oauth-sign/-/oauth-sign-0.8.2.tgz#46a6ab7f0aead8deae9ec0565780b7d4efeb9d43" @@ -14707,13 +14695,6 @@ schema-utils@^2.0.0: ajv "^6.10.2" ajv-keywords "^3.4.1" -sechash@~0.2.1: - version "0.2.1" - resolved "https://registry.yarnpkg.com/sechash/-/sechash-0.2.1.tgz#8b71fe47d68272f47a35f1640e4cc921325b133b" - integrity sha1-i3H+R9aCcvR6NfFkDkzJITJbEzs= - dependencies: - oath latest - section-iterator@^2.0.0: version "2.0.0" resolved "https://registry.yarnpkg.com/section-iterator/-/section-iterator-2.0.0.tgz#bf444d7afeeb94ad43c39ad2fb26151627ccba2a" @@ -14965,25 +14946,17 @@ shellwords@^0.1.1: version "0.1.1" resolved "https://registry.yarnpkg.com/shellwords/-/shellwords-0.1.1.tgz#d6b9181c1a48d397324c84871efbcfc73fc0654b" -short-id@^0.1.0-1: - version "0.1.0-1" - resolved "https://registry.yarnpkg.com/short-id/-/short-id-0.1.0-1.tgz#a4c0f3537fff4623ff84964882b5d43019a24095" - integrity sha1-pMDzU3//RiP/hJZIgrXUMBmiQJU= +shortid@^2.2.15: + version "2.2.15" + resolved "https://registry.yarnpkg.com/shortid/-/shortid-2.2.15.tgz#2b902eaa93a69b11120373cd42a1f1fe4437c122" + integrity sha512-5EaCy2mx2Jgc/Fdn9uuDuNIIfWBpzY4XIlhoqtXF6qsf+/+SGZ+FxDdX/ZsMZiWupIWNqAEmiNY4RC+LSmCeOw== dependencies: - merge-recursive "0.0.3" - sechash "~0.2.1" + nanoid "^2.1.0" signal-exit@^3.0.0, signal-exit@^3.0.2: version "3.0.2" resolved "https://registry.yarnpkg.com/signal-exit/-/signal-exit-3.0.2.tgz#b5fdc08f1287ea1178628e415e25132b73646c6d" -simple-assert@~1.0.0: - version "1.0.0" - resolved "https://registry.yarnpkg.com/simple-assert/-/simple-assert-1.0.0.tgz#53f1790000d714424124290780bc2a3e511cf0ef" - integrity sha1-U/F5AADXFEJBJCkHgLwqPlEc8O8= - dependencies: - assertion-error "1.0.0" - simple-swizzle@^0.2.2: version "0.2.2" resolved "https://registry.yarnpkg.com/simple-swizzle/-/simple-swizzle-0.2.2.tgz#a4da6b635ffcccca33f70d17cb92592de95e557a" From df476b54e392af40c66d1af91c40604819742ddf Mon Sep 17 00:00:00 2001 From: Loran Mutafov Date: Mon, 16 Dec 2019 12:02:02 +0000 Subject: [PATCH 2/2] Clean up unused imports --- packages/core/src/components/Carousel/Carousel.js | 2 +- packages/core/src/components/MobileCarousel/MobileCarousel.js | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/core/src/components/Carousel/Carousel.js b/packages/core/src/components/Carousel/Carousel.js index 0ca2d46b3..8fae17b32 100644 --- a/packages/core/src/components/Carousel/Carousel.js +++ b/packages/core/src/components/Carousel/Carousel.js @@ -1,5 +1,5 @@ import PropTypes from 'prop-types'; -import React, { useState, useEffect } from 'react'; +import React, { useState } from 'react'; import cx from 'classnames'; import NukaCarousel from 'nuka-carousel'; import shortid from 'shortid'; diff --git a/packages/core/src/components/MobileCarousel/MobileCarousel.js b/packages/core/src/components/MobileCarousel/MobileCarousel.js index 2fb2be178..30fe70fbc 100644 --- a/packages/core/src/components/MobileCarousel/MobileCarousel.js +++ b/packages/core/src/components/MobileCarousel/MobileCarousel.js @@ -1,5 +1,5 @@ import PropTypes from 'prop-types'; -import React, { Children } from 'react'; +import React from 'react'; import shortid from 'shortid'; import css from './MobileCarousel.css';