Parcel: Parcel 1.x release?

Created on 10 Sep 2019  Β·  11Comments  Β·  Source: parcel-bundler/parcel

❔ Question

Is there a plan to release latest Parcel 1.x fixes?
The last NPM version is 1.12.3, published half a year ago.
There is a bunch of merged pull requests, and some of them contain important fixes and updates.

Question

Most helpful comment

@RonWaller, exactly. Actually, the main reason was serialize-to-js dependency. Most likely, it can be fixed by installing the latest version of it as the root level... Will give it a try tomorrow. But as I could see from the PRs merged after the latest npm release - there were few more things, that potentially could lead to a failing or invalid bundles. So it would be really nice to have released them to npm, even considering ongoing 2.0 release.

All 11 comments

zhaparoff, are you having issues installing with NPM and getting vulnerabilities?

@devongovett maybe we can get a final release for v1 out?

I really don't know. I was just having an issue myself and seen your issue. I was able to fix it but manually. I see they committed a fix to update serialize-to-js to 3.0.0 but only on the yarn.lock file. I tried installing with yarn but it never updates to 3.0.0.

@RonWaller, exactly. Actually, the main reason was serialize-to-js dependency. Most likely, it can be fixed by installing the latest version of it as the root level... Will give it a try tomorrow. But as I could see from the PRs merged after the latest npm release - there were few more things, that potentially could lead to a failing or invalid bundles. So it would be really nice to have released them to npm, even considering ongoing 2.0 release.

@zhaparoff have you found a workaround?

I'm using [email protected] in kachkaev/aws-iot-button-logger-to-git. This causes yarn audit to fail with the following message:

yarn audit v1.19.0
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚ high          β”‚ Denial of Service                                            β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚ Package       β”‚ serialize-to-js                                              β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚ Patched in    β”‚ >=2.0.0                                                      β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚ Dependency of β”‚ parcel-bundler                                               β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚ Path          β”‚ parcel-bundler > serialize-to-js                             β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚ More info     β”‚ https://www.npmjs.com/advisories/790                         β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
1 vulnerabilities found - Packages audited: 886140
Severity: 1 High
✨  Done in 2.25s.

Besides, Snyk report flags the same problem:

Screenshot 2019-10-06 at 16 25 26

Actually no. Installing updated version of serialize-to-js package explicitly didn't help. So awaiting for the next 1.x or stable 2.0 release...

These are not real vulnerabilities. Please ignore them.

@devongovett ignoring security issues is not always possible. Snyk integration or yarn audit can be added to CI/CD for compliance reasons, which would prevent releasing to production. Such compulsory checks are not the case for my personal repo I shared above, but I can easily imagine a team with such settings, which wants to rely on your tool.

IMHO Parcel is too popular to ignore security issues like this, even if they are false positives. You could release [email protected] without much effort, by just bumping serialize-to-js to v2. The only breaking change there is removal of deserialize, which you probably do not rely on anyway.

Fine. Published v1.12.4.

NPM really needs a way to mark an advisory in a dependency as "not an issue". Github's security auditing tool has that. It's very annoying for maintainers to get all these issues about things that aren't even real issues. And it's annoying for users who are blocked by these fake issues. 😠

Thanks for releasing 1.12.4 @devongovett πŸ™Œ My project’s yarn audit and Snyk reports are now clean!

Totally agree with you that security issues are sometimes (if not often) noise. They are quite time-draining both to app developers and library maintainers, because of creating action pressure on both. It’d be great if you and other members of popular JavaScript projects could discuss this topic next time there is an opportunity. A conference or some other kind of informal gathering would be a great environment to do this IMO πŸ˜‰

@kachkaev and @zhaparoff thanks for your attention to details and proactiveness to help the ecosystem modules with opening this issue.

@devongovett I completely get your point of view here. I'm a devrel at Snyk as well as participating in the Node.js Security WG and if you'll be attending at any upcoming confs (Node+Interactive will be a good opportunity for us) I'd love to connect with you. A faster way to capture some feedback and get the conversation going is probably through https://github.com/nodejs/security-wg and https://github.com/nodejs/package-maintenance initiatives.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

donaldallen picture donaldallen  Β·  3Comments

philipodev picture philipodev  Β·  3Comments

mnn picture mnn  Β·  3Comments

medhatdawoud picture medhatdawoud  Β·  3Comments

will-stone picture will-stone  Β·  3Comments