Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

greenkeeper pr's failing #329

Closed
seriousme opened this issue Jun 2, 2018 · 7 comments
Closed

greenkeeper pr's failing #329

seriousme opened this issue Jun 2, 2018 · 7 comments

Comments

@seriousme
Copy link

Hi,

I noticed that there are 10 PR's created by greenkeeper waiting for merge.
I looked at some of them and they seem to show red because Travis had no access to the most recent version of the dependency at the time of PR creation. I had the same issue in some of my repo's some time ago and just asking Travis to rebuild solved the issue for me.

The reason for creating the issue is that NPM audit keeps complaining about vulnerable dependencies of pouchdb-server :-(

Most notably:

  High            Regular Expression Denial of Service
  Package         sshpk
  Dependency of   pouchdb-server
  Path            pouchdb-server > pouchdb-adapter-node-websql > websql >
                  sqlite3 > node-pre-gyp > request > http-signature > sshpk
  More info       https://nodesecurity.io/advisories/606

Fixed by: #313

  High            Regular Expression Denial of Service
  Package         fresh
  Patched in      >= 0.5.2
  Dependency of   pouchdb-server
  Path            pouchdb-server > serve-favicon > fresh
  More info       https://nodesecurity.io/advisories/526

Fixed by: #315

Fixing these would be much appreciated.

Kind regards,
Hans

@marten-de-vries
Copy link
Member

Thanks for your bug report.

Just rebuilding is not enough, sadly. See e.g. https://travis-ci.org/pouchdb/pouchdb-server/jobs/342637398 which I just triggered manually. I don't have time to look further into the issue myself, but if anyone has time to do so feel free to @mention me in resulting PRs so I can help with getting things merged.

@seriousme
Copy link
Author

I checked the build log you mentioned and its reason for failing is the problem with greenkeeper updating the package.json, but not the package-lock.json

The quickfix is to checkout the greenkeeper branch, run npm i and commit the package-lock.json

However this problem will repeat itself on the next greenkeeper branch :-(
The solution is described at: https://github.com/greenkeeperio/greenkeeper-lockfile

This will ensure that as soon as greenkeeper creates a new branch and travis-ci runs the CI the package-lock.json will be pushed back to the branch. Unfortunately this does not fix any existing greenkeeper branches :-(

@marten-de-vries
Copy link
Member

Ok, that seems to fix the build for the sqlite3 branch. Others fail on npm install because of some sqlite error, so I guess merging the sqlite3 branch should be the first focus. If it passes Travis, I'll do so tomorrow.

@marten-de-vries
Copy link
Member

Ok, two PRs left open. memdown and nomnom. Both are special cases: the first changed API in such a way that it broke the tests, the second is no longer developed.

I looked into greenkeeper-lockfile, but there's a couple of problems

Probably all fixable, but currently too much work for me. Leaving this open in the hope someone will figure this out. Also so a release can happen at some point again, incorporating the updates.

@seriousme
Copy link
Author

Thanks for putting in the effort !

With regards to the two remaining items:

A new release (even without the above 2 items) would be appreciated as this will resolve my initial question ;-)

@marten-de-vries
Copy link
Member

Alright. Pouchdb itself still seems to use the old memdown, so I'm going to follow it in that. Nice find on the nomnom fork, I'm running CI on that now. If it passes, I'll merge it. I'll make a release next.

@marten-de-vries
Copy link
Member

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants