Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Breaking] Replace unzipper with yauzl-promise #2687

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

[Breaking] Replace unzipper with yauzl-promise #2687

wants to merge 2 commits into from

Conversation

pnappa
Copy link

@pnappa pnappa commented Feb 13, 2024

Summary

Unzipper had a transitive dependency on a package that does not have a license. This means that every user is potentially violating the law in using it. Personally, I think it's better to stick to following it, so I've replaced the root dependency with a modern (and updated) alternative.

However, yauzl-promise requires node v16 and above! I think there's some bikeshedding to be done for whether this is worthwhile or not.

This is a breaking change, as the minimum node engine has been bumped from v10 to v16. Note that the engines before this claimed v8 was supported, but the transitive dependencies required >=10. I believe this is an okay change to merge, as anything older than v18 is not supported anymore. https://endoflife.date/nodejs

Test plan

The test suite passes locally (on my machine).

Resolves #2686

Patrick Nappa added 2 commits February 13, 2024 13:36
Replace unzipper with yauzl-promise
7096a6f 
Unzipper had a transitive dependency on a package that does not have a
license. This means that every user is potentially violating the law in
using it. Personally, I think it's better to stick to following it, so
I've replaced the root dependency with a modern (and updated)
alternative.

However, yauzl-promise requires node v16 and above! I think there's some
bikeshedding to be done for whether this is worthwhile or not.
Bump node version to version 16.
00c2ad7 
This is a breaking change.

Also updated the tests to not test on deprecated versions of node.
@jjshinobi
Copy link

This change will also resolve https://security.snyk.io/vuln/SNYK-JS-INFLIGHT-6095116 due to the transitive dependency
exceljs@4.4.0 › unzipper@0.10.14 › fstream@1.0.12 › rimraf@2.7.1 › glob@7.2.3 › inflight@1.0.6. Can we please bump this PR for review?

@pnappa pnappa mentioned this pull request Feb 29, 2024
Open
@pnappa
Copy link
Author

pnappa commented Feb 29, 2024

Another alternative is to implement what's described here in #2703 . I probably reckon this is a better solution. It's supported in NodeJS (>=18), which is the minimum version that this PR requires anyway.

@pnappa pnappa mentioned this pull request Feb 29, 2024
Open
@k0s15 k0s15 mentioned this pull request Apr 15, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

no licensing on one of exceljs dependencies
2 participants
@pnappa @jjshinobi