Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
yarn-error.log published with @parcel/logger@1.11.1 triggering GitHub Vulnerability Alert
See original GitHub issue🐛 bug report
It seems that a yarn-error.log file was published inadvertently by @devongovett in the @parcel/logger@1.11.1 package.
This file contains a reference to safer-eval which has a critical vulnerability. This do not affect parcel users in any ways.
That being said, it seems that GitHub parses this file and trigger a GitHub Alert anyway.
🎛 How to Reproduce
In order to reproduce, install the package, and you’ll find the file at node_modules/@parcel/logger/yarn-error.log.
$ yarn add @parcel/logger@1.11.1
$ head node_modules/@parcel/logger/yarn-error.log -n 25
Arguments:
/Users/devongovett/.nvm/versions/node/v8.11.1/bin/node /Users/devongovett/.nvm/versions/node/v8.11.1/lib/node_modules/yarn/lib/cli.js add @parcel/workers
PATH:
/Users/devongovett/.nvm/versions/node/v8.11.1/bin:/Users/devongovett/.cargo/bin:/Users/devongovett/Downloads/emsdk_portable:/Users/devongovett/Downloads/emsdk_portable/clang/e1.35.0_64bit:/Users/devongovett/Downloads/emsdk_portable/node/4.1.1_64bit/bin:/Users/devongovett/Downloads/emsdk_portable/emscripten/1.35.0:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/opt/X11/bin:/Users/devongovett/.cargo/bin:/usr/local/mysql/bin
Yarn version:
1.10.1
Node version:
8.11.1
Platform:
darwin x64
Trace:
Error: https://registry.npmjs.org/@parcel%2fworkers: Not found
at Request.params.callback [as _callback] (/Users/devongovett/.nvm/versions/node/v8.11.1/lib/node_modules/yarn/lib/cli.js:61073:18)
at Request.self.callback (/Users/devongovett/.nvm/versions/node/v8.11.1/lib/node_modules/yarn/lib/cli.js:120166:22)
at emitTwo (events.js:126:13)
at Request.emit (events.js:214:7)
at Request.<anonymous> (/Users/devongovett/.nvm/versions/node/v8.11.1/lib/node_modules/yarn/lib/cli.js:121138:10)
at emitOne (events.js:116:13)
at Request.emit (events.js:211:7)
at IncomingMessage.<anonymous> (/Users/devongovett/.nvm/versions/node/v8.11.1/lib/node_modules/yarn/lib/cli.js:121060:12)
In this file, you can see a reference to safer-eval:
$ grep "safer-eval" node_modules/@parcel/logger/yarn-error.log
safer-eval@^1.2.3:
resolved "https://registry.yarnpkg.com/safer-eval/-/safer-eval-1.2.3.tgz#73ba74a34bc8a07d6a44135c815fd18a8eebe7a0"
safer-eval "^1.2.3
Even tho this dependency is no longer used in parcel.
Having this dependency on any GitHub repository will trigger a vulerability alert:
💁 Possible Solution
Apart explaining this situation to all @parcel/logger users, I don’t know if there is a solution.
May I suggest that next versions of Parcel packages should ignore yarn-error.log file.
I didn’t try to find this file in other versions of Parcel packages. I contacted the GitHub Support to get more info about that alert, I’ll update the issue when they respond.
Issue Analytics
- State:
- Created 4 years ago
- Comments:6 (1 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Sorry! I had an old version in my
package.jsonas well-- whoops.Just wanted to be certain - thanks all.
On our library, we use pasteljs, which uses directly parcel-bundler@1.12.4 and not parcel.