-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
v3.8.1 proposal (became v4.0.0) #1718
Conversation
fcb0117025 needs the rest of the changes to Could you also swap the ordering so that the update to tar 4.4.8 comes last? That way every commit would build in case we'd ever want to bisect. |
Tar version 3 performs better and is more well tested than its predecessor. npm will be using this in the near future, so there is no benefit in shipping a node-gyp that uses the slower and less reliable fstream-based tar. This drops support for node 0.x, and thus should be considered a breaking semver-major change. PR-URL: nodejs#1212 Reviewed-By: Refael Ackermann <[email protected]> Reviewed-By: Ben Noordhuis <[email protected]> Reviewed-By: Gibson Fahnestock <[email protected]>
PR-URL: nodejs#1713 Reviewed-By: Refael Ackermann <[email protected]>
Rebased over 6e1e425 |
Shouldn't CI jobs for 0.10 and 0.12 be removed from the matrix as support is dropped ? |
Will do, but only after this PR gets some LGTMs. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- [
3578b2abf0
] - deps: explicit limit on supported engines (Refael Ackermann)
nit: maybe reword this commit message? The supported engines was bumped in the earlier tar v3 commit.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
RSLGTM
Shouldn't this be a semver-minor or semver-major though, since we're dropping support for Node.js 4?
@@ -32,11 +31,11 @@ | |||
"request": "^2.87.0", | |||
"rimraf": "2", | |||
"semver": "~5.3.0", | |||
"tar": "^2.0.0", | |||
"tar": "4", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this be?:
"tar": "4", | |
"tar": "^4.4.8", |
Otherwise users without npm audit
may still get the unsecure version.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is the only part left in 6bc9bf1 so I'm removing that commit entirely and it'll end up with ^4.4.8
looks like version should be 4.0.0 according to semver due to breaking changes |
When updating dependencies (in this case node) SemVer does not necessarily require a major release.
|
Can someone explain what the hold up is here please? |
Two can not be fixed yet: - swagger-api/swagger-node#579 - nodejs/node-gyp#1718
Ping @refack If this includes a breaking change, it should also be a new major version. I believe it should be possible to release a 3.8.1 that just includes the non breaking commits and then to release v4.0.0 right after. |
Hi, would the major change be limited to requiring Node > 4? If so, it would be acceptable to explain in the changelog (if it's visible enough) that projects that are already on a recent Node version can upgrade without problems. At least for Etherpad (ether/etherpad-lite#3598) this would be ok. A minor version that only solves the vulnerability would clearly even better (if technically possible). |
@xzyfer Perhaps an issue should be filed to https://github.com/npm/node-tar as the starting point, explaining that the usage of older branches is still high and that updating to |
Partial resolution of https://www.npmjs.com/advisories/803 Full resolution pending nodejs/node-gyp#1718
@ChALkeR done in isaacs/node-tar#212 |
@xzyfer Thanks! I left a comment there and also pinged npm about that. |
If there are concerns with releasing this, there is nothing wrong with making it a major release. |
v4.0.0 is out, now we have to consider the |
|
Thank you for releasing!! |
Is there any plan to cut a node-gyp release that doesn't break support for Node < 4 if a fix for node-tar@2 can be found? |
@xzyfer I think it'd be reasonable to cut another v3.x if you can get an old branch of node-tar released that will work with it |
What about forking tar, fixing the issue in v2 and to use the fork in node-gyp 3 (ideally we do not need a fork and just a PR and a new release for tar@2)? I know it's just a work around but that's at least something we could do for people who can't update yet. |
No need to fork. The node-tar folks have said they're open to accepting a PR. |
we're having a hard enough time maintaining node-gyp, I don't think we really need another codebase to manage even if limited in scope |
I mentioned this on this thread (1456ef2) , but I am still having an issue when I update node-gyp. I run npm install node-gyp and get the correct 4.0.0 package, but then I get an error that I something changed and I need to "Run npm rebuild node-sass to download the binding for your current environment." When I do this, it re-loads the 3.8.x version of node-gyp. Error below from the rebuild of node-sass: gyp ERR! node -v v9.4.0 |
I have edited some info into the original post so as to make this less confusing. |
[email protected] has been released which patches the vulnerability. Would it be possible to cut release a [email protected] with this update so that upstreams aren't forced break old node BC? |
NVM looks like node-gyp depended on node-tar@^2.0.0 which should mean the issue is resolved. |
Github is still reporting the vulnerability as existing because NIST's vulnerability report didn't consider 2.2.2 of
So stay tuned, because soon tar 2.2.2 will be recognized as an acceptable, non-vulnerable version, and appropriate versions of node-gyp using |
Edit: @Fishrock123
Please see this comment for the final status of this issue: #1718 (comment)
v3.8.1 2019-04-12
Due to security concerns this version drops support for Node.js versions < 4.0.0
3578b2abf0
] - deps: explicit limit on supported engines (Refael Ackermann)ec8505e15f
] - deps: updated tar package version to 4.4.8 (Pobegaylo Maksim) #17136e1e425ffb
] - (BREAKING for node < 4) Upgrade to tar v3 (isaacs) #1212e6699d13cd
] - test: fix addon test for Node.js 12 and V8 7.4 (Richard Lau) #17050c6bf530a0
] - lib: use print() for python version detection (GreenAddress) #1534Checklist
npm install && npm test
passesDescription of change