-
-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consider updating dependency versions #2144
Comments
We support eslint 2, and all the node versions it supports, so I’m pretty sure everything is as updated as it could possibly be. |
Ah I didn't realize compat for old eslint versions went so far back. That helps explain it, thanks! Would it make sense to to a major version split and drop support for very old eslint versions at some point? Of course you've probably already thought about that, I'm just curious. |
There's not much of a benefit to doing that. Most CVEs are false positives anyways, especially in the eslint ecosystem. For the one you referenced, see #2047. |
There are multiple issues with this approach.
|
node_modules size is irrelevant; disk space is infinite and free. Yes, i understand that the fact that 99% of CVEs are false positives makes security scanners inconvenient. The solution isn’t to make one-off changes in specific deps, it’s to fix the security industry, or fix your metrics for what’s acceptable. I would be very shocked if cold start require time mattered to eslint performance significantly. Either way, updating deps would have zero impact on this cost. |
It is not true. https://paulmillr.com/posts/chokidar-3-save-32tb-of-traffic/ Eslint alone:
Eslint and eslint-plugin-import
10MB is a non-trivial amount.
eslint is used as IDE/Editor plugin, pre commit hook, cli in CI/CD, webpack loader etc. On Project with 3 source files, without any imports
With eslint-plugin-import
Just loading this plugin would add 100ms to startup time of eslint. Let's estimate that this plugin is loaded 1milion times daily.
You do not understand. In big companies, scanners are mandated and often every exception need to be approved by a human. We are not an asking to micro optimize this plugin for require times. Just try to follow best practices and update dependencies on regular basis via automated dependabot/renovate. |
I do understand; i work in big companies. The only solution is to fix such naive mandating, and persuade your security teams to recognize that the cost of false positives is much higher than the cost of false negatives. We do follow best practices - all our deps are as updated as they can be. If you’d like to ensure that those deps follow best practices and backport security fixes to older major lines, then we’d be able to update to those. |
@ljharb I have to question why support for ESLint v2 is so important. ESLint v3 was released in 2016 which dropped support for node < 4. The current v7 release of ESLint supports node =v10 and >=v12. Node versions <=v11 are end-of-life, so even the current release of ESLint supports an end-of-life version of node, which should be plenty of historical support. You're essentially supporting a version of node that was marked end-of-life over four and a half years ago. |
EOL status and date is irrelevant. |
@ljharb that's it? No future updates just to keep the support for EOL versions of ESLint? As pointed above, projects like this need to be kept up to date for a lot of reasons. Your decision is making me rethink the usage of this package on our project. |
@mccraveiro Nobody said "no future updates". The problem is that these specific dependencies decided to be hostile to their consumers, and unnecessarily drop support of older node versions. The future update will be removing these dependencies and replacing them with friendlier ones. Most CVEs are false positives; literally every single one of them this issue refers to 100% does not apply to this plugin's usage of the packages. If you insist on blindly treating every CVE as a commandment not to use the package, then you'll rapidly find yourself running out of ecosystem packages to use. |
That's a fine solution for this issue. However you closed this issue without a resolution or an explanation about this roadmap. That's much more reassuring and friendly. Thanks for the update! |
@mccraveiro Fair enough :-) and np, happy to elaborate whenever needed. This particular category of problem is exceedingly noisy and one of the primary causes of maintainer burnout, so my temper's a bit short with it. See https://overreacted.io/npm-audit-broken-by-design/ |
Hi, thanks for the useful plugin!
I noticed the versions of some of this package's dependencies are very old. For example, the read-pkg-up version is from 4 years ago: https://github.com/benmosher/eslint-plugin-import/blob/master/package.json#L114
This can lead to insecure transitive dependencies being brought in for users of this plugin.
For example: eslint-plugin-import > read-pkg-up > read-pkg > normalize-package-data > hosted-git-info@2, which recently had a security alert.
The text was updated successfully, but these errors were encountered: