-
Notifications
You must be signed in to change notification settings - Fork 421
Commit ed2e5c0
Yarn: Regenerate lockfile to unblock dependabot (#2837)
Summary:
Dependabot failed to update a dependency (https://github.com/pytorch/botorch/actions/runs/14734256627/job/41356188770) to a non-vulnerable version because of transitive dependencies. The upstream package was updated to use a non-vulnerable version but that isn't reflected in our existing lockfile. Deleting and regenerating resolves this.
Relevant discussion in Docusaurus issue thread: facebook/docusaurus#10491 (comment)
Pull Request resolved: #2837
Test Plan:
Before:
```
(venv) ~/Projects/botorch/website (main ✔) yarn audit
yarn audit v1.22.22
warning package.json: No license field
warning ../../../package.json: No license field
warning No license field
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high │ Unpatched `path-to-regexp` ReDoS in 0.1.x │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ path-to-regexp │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.1.12 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ docusaurus/core │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ docusaurus/core > webpack-dev-server > express > │
│ │ path-to-regexp │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/1101844 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high │ Unpatched `path-to-regexp` ReDoS in 0.1.x │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ path-to-regexp │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.1.12 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ docusaurus/preset-classic │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ docusaurus/preset-classic > docusaurus/core > │
│ │ webpack-dev-server > express > path-to-regexp │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/1101844 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high │ Unpatched `path-to-regexp` ReDoS in 0.1.x │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ path-to-regexp │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.1.12 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ docusaurus/preset-classic │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ docusaurus/preset-classic > docusaurus/plugin-content-blog │
│ │ > docusaurus/core > webpack-dev-server > express > │
│ │ path-to-regexp │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/1101844 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high │ Unpatched `path-to-regexp` ReDoS in 0.1.x │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ path-to-regexp │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.1.12 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ docusaurus/preset-classic │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ docusaurus/preset-classic > docusaurus/theme-classic > │
│ │ docusaurus/plugin-content-blog > docusaurus/core > │
│ │ webpack-dev-server > express > path-to-regexp │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/1101844 │
└───────────────┴──────────────────────────────────────────────────────────────┘
4 vulnerabilities found - Packages audited: 1477
Severity: 4 High
✨ Done in 1.42s.
```
After:
```
(venv) ~/Projects/botorch/website (main ✔) rm yarn.lock
(venv) ~/Projects/botorch/website (main ✗) yarn && yarn audit
yarn install v1.22.22
warning package.json: No license field
warning ../../../package.json: No license field
info No lockfile found.
warning No license field
[1/4] 🔍 Resolving packages...
warning docusaurus/core > del > rimraf@3.0.2: Rimraf versions prior to v4 are no longer supported
warning docusaurus/core > webpack-dev-server > rimraf@3.0.2: Rimraf versions prior to v4 are no longer supported
warning docusaurus/core > shelljs > glob@7.2.3: Glob versions prior to v9 are no longer supported
warning docusaurus/core > del > rimraf > glob@7.2.3: Glob versions prior to v9 are no longer supported
warning docusaurus/core > react-dev-utils > fork-ts-checker-webpack-plugin > glob@7.2.3: Glob versions prior to v9 are no longer supported
warning docusaurus/core > shelljs > glob > inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
warning docusaurus/core > react-dev-utils > fork-ts-checker-webpack-plugin > memfs@3.6.0: this will be v4
warning docusaurus/core > webpack-dev-server > webpack-dev-middleware > memfs@3.6.0: this will be v4
warning plotly.js > color-rgba > color-space > mumath@3.3.4: Redundant dependency in your project.
[2/4] 🚚 Fetching packages...
warning Pattern ["react-helmet-async@npm:slorber/react-helmet-async@*"] is trying to unpack in the same destination "/Users/cristianlara/Library/Caches/Yarn/v6/npm-react-helmet-async-1.3.0-11fbc6094605cf60aa04a28c17e0aab894b4ecff-integrity/node_modules/react-helmet-async" as pattern ["react-helmet-async@npm:slorber/react-helmet-async@1.3.0","react-helmet-async@^1.3.0"]. This could result in non-deterministic behavior, skipping.
[3/4] 🔗 Linking dependencies...
warning " > docusaurus/core@3.7.0" has unmet peer dependency "mdx-js/react@^3.0.0".
warning "docusaurus/core > react-loadable-ssr-addon-v5-slorber@1.0.1" has unmet peer dependency "react-loadable@*".
warning "docusaurus/core > react-dev-utils > fork-ts-checker-webpack-plugin@6.5.3" has unmet peer dependency "typescript@>= 2.7".
warning "docusaurus/core > docusaurus/mdx-loader > mdx-js/mdx > recma-jsx > acorn-jsx@5.3.2" has unmet peer dependency "acorn@^6.0.0 || ^7.0.0 || ^8.0.0".
warning "docusaurus/preset-classic > docusaurus/theme-classic > mdx-js/react@3.1.0" has unmet peer dependency "types/react@>=16".
warning "docusaurus/preset-classic > docusaurus/theme-search-algolia > docsearch/react > algolia/autocomplete-preset-algolia@1.17.9" has unmet peer dependency "algolia/client-search@>= 4.9.1 < 6".
warning "docusaurus/preset-classic > docusaurus/theme-search-algolia > docsearch/react > algolia/autocomplete-core > algolia/autocomplete-shared@1.17.9" has unmet peer dependency "algolia/client-search@>= 4.9.1 < 6".
warning "docusaurus/preset-classic > docusaurus/theme-search-algolia > docsearch/react > algolia/autocomplete-core > algolia/autocomplete-plugin-algolia-insights@1.17.9" has unmet peer dependency "search-insights@>= 1 < 3".
warning "plotly.js > style-loader@4.0.0" has unmet peer dependency "webpack@^5.27.0".
warning "plotly.js > plotly/mapbox-gl > mapbox/mapbox-gl-supported@1.5.0" has unmet peer dependency "mapbox-gl@>=0.32.1 <2.0.0".
[4/4] 🔨 Building fresh packages...
success Saved lockfile.
✨ Done in 34.94s.
yarn audit v1.22.22
warning package.json: No license field
warning ../../../package.json: No license field
warning No license field
0 vulnerabilities found - Packages audited: 1482
✨ Done in 0.70s.
```
Reviewed By: esantorella, saitcakmak
Differential Revision: D73953681
Pulled By: CristianLara
fbshipit-source-id: aa723b820668463bf934f98e70207f6cf79f5f3f1 parent 570d302 commit ed2e5c0Copy full SHA for ed2e5c0
1 file changed
+1762
-1875
lines changed
0 commit comments