Jest: Jest Release | Dependency updates

Created on 30 Dec 2019 · 21Comments · Source: facebook/jest

🐛 Bug Report

I am getting an error across a lot of my repositories about an outdated handelbars vulnerability. To fix this dependabot is telling me to update to 4.3.0

However, I don't use handlebars. istanbul-reports is using handlebars. As of this PR handlebars is no longer included in istanbul-reports. Jest's outdated dependency tree around this was raised and addressed in this issue.

Unfortunately, this was commited on November 21st. The latest Jest available is for 24.9.0 which was released in August. Is there anything I have missed or can assist in to get this into master ASAP for both myself and others

Thanks Jest Team

To Reproduce

Install Jest 2.4.9 and push to a github repo

Expected behavior

No dependabot issues were expected.

Question Discussion

Source

builtbyproxy

👍26 👀7

Most helpful comment

I heard back on Friday, and the current plan is this week 🤞

SimenB on 6 Jan 2020

❤8 👍3 🎉2

All 21 comments

For now, if anyone is looking to fix this, you'll be getting this error from istanbul-reports using handlebars in your yarn.lock file. To fix this head over to your yarn.lock and either change the version of istanbul-reports to 3.0.0 (when they fixed the handlebars) or the version of handlebars to 4.3.0 explicitly.

In my yarn.lock that looks like this:

builtbyproxy on 31 Dec 2019

👍1

Face the same problem. @builtbyproxy thanks for solution. But it is temporary solution, jest should be fixed.

balovbohdan on 2 Jan 2020

👍2

Just delete the handlebars entry in your lockfile and rerun yarn/npm - that'll pull in the fixed version of handlebars.

As for a release, I don't have the permissions to make one. I've poked some FB people, hopefully a release will happen now the the holidays are over

SimenB on 2 Jan 2020

❤9

@SimenB That's awesome, Thanks a lot! Looking forward to some responses then

builtbyproxy on 3 Jan 2020

New week, new problems. Just bumping you and your contacts @SimenB so this doesn't fall through
Thanks a lot

builtbyproxy on 6 Jan 2020

I heard back on Friday, and the current plan is this week 🤞

SimenB on 6 Jan 2020

❤8 👍3 🎉2

Excellent! Thanks a lot for the commitment on this @SimenB

builtbyproxy on 6 Jan 2020

After we get this release out the door I'll be trying to setup a better system for releases. 25 has been painful for all involved

SimenB on 6 Jan 2020

❤5 😄3

Happy to help within my capabilities on that @SimenB

builtbyproxy on 6 Jan 2020

Hi Guys,
I have the same problem. I have tried to fix it by deleting handlebars entry from lock file and also tried deleting the whole lock file and rerun npm, still "Istanbul-reports" always goes back to handlebars 4.1

AlshymaaCS on 7 Jan 2020

@AlshymaaCS As mentioned in this comment you can explicitly change your lockfile. You'll have to make sure it's correct each time you run yarn, but this issue should be fixed this week so it's not a huge problem.

HugoKawamata on 7 Jan 2020

👍1

Correct accesses were granted to another fb employee on Friday so he could make a new release, but it seems it came a bit too late for a release. Hopefully one will come early next week.

When it comes to handlebars issue specifically, you can update to the latest release of istanbul-reports (just delete its entry from your lockfile) which has removed the dependency on handlebars. Fresh installs of Jest 24 no longer pulls in handlebars at all

SimenB on 12 Jan 2020

Thanks @SimenB
We have fixed the handlebars bug temporarily by editing our .lock accordingly.
Jest hasn't been updated for quite some time and there are numerous fixes and changes that have happened in some of its core dependencies, notably istanbul. It would be great if these could all be released into the npmjs version to mirror that of your Master branch

builtbyproxy on 13 Jan 2020

👍1

Tentative release day is Thursday this week

SimenB on 14 Jan 2020

❤7 🚀4 🎉1

Unreal! Thanks a lot @SimenB

builtbyproxy on 15 Jan 2020