-
Notifications
You must be signed in to change notification settings - Fork 10.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update webpack-stream to fix vulnerabiliy reported by npm and dedupe Webpack #11436
Conversation
/botio-linux preview |
From: Bot.io (Linux m4)ReceivedCommand cmd_preview from @timvandermeij received. Current queue size: 0 Live output at: http://54.67.70.0:8877/428dca951cd5dbf/output.txt |
From: Bot.io (Linux m4)SuccessFull output at http://54.67.70.0:8877/428dca951cd5dbf/output.txt Total script time: 0.68 mins Published |
I wonder why it showed success, because the build failed. From the logs:
The preview commands runs |
Looks like there has been a regression in webpack-stream 5.1.0 and up; current solution (perfectly satisfactory for this PR) is to upgrade to 5.0.x, not all the way. |
https://npmjs.com/advisories/1084 webpack-stream between 4.0.3 and 5.0.0 added official support for Webpack 4. Which is nice since we ARE using Webpack 4... Also, dropped support for Node.js 4 which shouldn't be a big deal for us since we are already using packages that are incompatible with Node.js 4 (Webpack 4.x supports Node.js 6 and up).
For future reference: When making changes that could, in one way or another, potentially break the builds you should run all of the appropriate tests locally while developing the patch.
That seems to be tracked in issue shama/webpack-stream#201, and the regression is apparently PR shama/webpack-stream#109, which has been open for over a year :-( If that regression isn't addressed, we may need to start looking for alternatives to |
/botio-linux preview |
From: Bot.io (Linux m4)ReceivedCommand cmd_preview from @timvandermeij received. Current queue size: 0 Live output at: http://54.67.70.0:8877/02863f40c7d462e/output.txt |
From: Bot.io (Linux m4)SuccessFull output at http://54.67.70.0:8877/02863f40c7d462e/output.txt Total script time: 1.72 mins Published |
/botio test |
From: Bot.io (Linux m4)ReceivedCommand cmd_test from @timvandermeij received. Current queue size: 0 Live output at: http://54.67.70.0:8877/25b3b8329f0f2a1/output.txt |
From: Bot.io (Windows)ReceivedCommand cmd_test from @timvandermeij received. Current queue size: 0 Live output at: http://54.215.176.217:8877/f143909fee3de74/output.txt |
From: Bot.io (Linux m4)SuccessFull output at http://54.67.70.0:8877/25b3b8329f0f2a1/output.txt Total script time: 18.95 mins
|
From: Bot.io (Windows)FailedFull output at http://54.215.176.217:8877/f143909fee3de74/output.txt Total script time: 26.31 mins
Image differences available at: http://54.215.176.217:8877/f143909fee3de74/reftest-analyzer.html#web=eq.log |
That failure looks invalid to me! |
Yes, it's completely unrelated to this patch. Nice clean-up! |
https://npmjs.com/advisories/1084
webpack-stream between 4.0.3 and 5.0.0 added official support for Webpack 4. Which is nice since we ARE using Webpack 4... Also, dropped support for Node.js 4 which shouldn't be a big deal for us since we are already using packages that are incompatible with Node.js 4 (Webpack 4.x supports Node.js 6 and up).
A nice side effect is that this update removes a ton of duplicate dependencies - webpack-stream 4.0.3 included a second copy of Webpack, version 3.x, in our node_modules!