Skip to content

Yarn: Regenerate lockfile to unblock dependabot #2837

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Yarn: Regenerate lockfile to unblock dependabot #2837

wants to merge 1 commit into from

Conversation

CristianLara
Copy link
Contributor

Dependabot failed to update a dependency (https://github.com/pytorch/botorch/actions/runs/14734256627/job/41356188770) to a non-vulnerable version because of transitive dependencies. The upstream package was updated to use a non-vulnerable version but that isn't reflected in our existing lockfile. Deleting and regenerating resolves this.

Relevant discussion in Docusaurus issue thread: facebook/docusaurus#10491 (comment)

Test Plan:

Before:

(venv) ~/Projects/botorch/website (main ✔) yarn audit
yarn audit v1.22.22
warning package.json: No license field
warning ../../../package.json: No license field
warning No license field
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ Unpatched `path-to-regexp` ReDoS in 0.1.x                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ path-to-regexp                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.1.12                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @docusaurus/core                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @docusaurus/core > webpack-dev-server > express >            │
│               │ path-to-regexp                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1101844                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ Unpatched `path-to-regexp` ReDoS in 0.1.x                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ path-to-regexp                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.1.12                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @docusaurus/preset-classic                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @docusaurus/preset-classic > @docusaurus/core >              │
│               │ webpack-dev-server > express > path-to-regexp                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1101844                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ Unpatched `path-to-regexp` ReDoS in 0.1.x                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ path-to-regexp                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.1.12                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @docusaurus/preset-classic                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @docusaurus/preset-classic > @docusaurus/plugin-content-blog │
│               │ > @docusaurus/core > webpack-dev-server > express >          │
│               │ path-to-regexp                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1101844                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ Unpatched `path-to-regexp` ReDoS in 0.1.x                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ path-to-regexp                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.1.12                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @docusaurus/preset-classic                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @docusaurus/preset-classic > @docusaurus/theme-classic >     │
│               │ @docusaurus/plugin-content-blog > @docusaurus/core >         │
│               │ webpack-dev-server > express > path-to-regexp                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1101844                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
4 vulnerabilities found - Packages audited: 1477
Severity: 4 High
✨  Done in 1.42s.

After:

(venv) ~/Projects/botorch/website (main ✔) rm yarn.lock

(venv) ~/Projects/botorch/website (main ✗) yarn && yarn audit
yarn install v1.22.22
warning package.json: No license field
warning ../../../package.json: No license field
info No lockfile found.
warning No license field
[1/4] 🔍  Resolving packages...
warning @docusaurus/core > del > [email protected]: Rimraf versions prior to v4 are no longer supported
warning @docusaurus/core > webpack-dev-server > [email protected]: Rimraf versions prior to v4 are no longer supported
warning @docusaurus/core > shelljs > [email protected]: Glob versions prior to v9 are no longer supported
warning @docusaurus/core > del > rimraf > [email protected]: Glob versions prior to v9 are no longer supported
warning @docusaurus/core > react-dev-utils > fork-ts-checker-webpack-plugin > [email protected]: Glob versions prior to v9 are no longer supported
warning @docusaurus/core > shelljs > glob > [email protected]: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
warning @docusaurus/core > react-dev-utils > fork-ts-checker-webpack-plugin > [email protected]: this will be v4
warning @docusaurus/core > webpack-dev-server > webpack-dev-middleware > [email protected]: this will be v4
warning plotly.js > color-rgba > color-space > [email protected]: Redundant dependency in your project.
[2/4] 🚚  Fetching packages...
warning Pattern ["react-helmet-async@npm:@slorber/react-helmet-async@*"] is trying to unpack in the same destination "/Users/cristianlara/Library/Caches/Yarn/v6/npm-react-helmet-async-1.3.0-11fbc6094605cf60aa04a28c17e0aab894b4ecff-integrity/node_modules/react-helmet-async" as pattern ["react-helmet-async@npm:@slorber/[email protected]","react-helmet-async@^1.3.0"]. This could result in non-deterministic behavior, skipping.
[3/4] 🔗  Linking dependencies...
warning " > @docusaurus/[email protected]" has unmet peer dependency "@mdx-js/react@^3.0.0".
warning "@docusaurus/core > [email protected]" has unmet peer dependency "react-loadable@*".
warning "@docusaurus/core > react-dev-utils > [email protected]" has unmet peer dependency "typescript@>= 2.7".
warning "@docusaurus/core > @docusaurus/mdx-loader > @mdx-js/mdx > recma-jsx > [email protected]" has unmet peer dependency "acorn@^6.0.0 || ^7.0.0 || ^8.0.0".
warning "@docusaurus/preset-classic > @docusaurus/theme-classic > @mdx-js/[email protected]" has unmet peer dependency "@types/react@>=16".
warning "@docusaurus/preset-classic > @docusaurus/theme-search-algolia > @docsearch/react > @algolia/[email protected]" has unmet peer dependency "@algolia/client-search@>= 4.9.1 < 6".
warning "@docusaurus/preset-classic > @docusaurus/theme-search-algolia > @docsearch/react > @algolia/autocomplete-core > @algolia/[email protected]" has unmet peer dependency "@algolia/client-search@>= 4.9.1 < 6".
warning "@docusaurus/preset-classic > @docusaurus/theme-search-algolia > @docsearch/react > @algolia/autocomplete-core > @algolia/[email protected]" has unmet peer dependency "search-insights@>= 1 < 3".
warning "plotly.js > [email protected]" has unmet peer dependency "webpack@^5.27.0".
warning "plotly.js > @plotly/mapbox-gl > @mapbox/[email protected]" has unmet peer dependency "mapbox-gl@>=0.32.1 <2.0.0".
[4/4] 🔨  Building fresh packages...
success Saved lockfile.
✨  Done in 34.94s.

yarn audit v1.22.22
warning package.json: No license field
warning ../../../package.json: No license field
warning No license field
0 vulnerabilities found - Packages audited: 1482
✨  Done in 0.70s.

@CristianLara
Yarn: Regernate lockfile to unblock dependabot
ef492c2 
Dependabot failed to update a dependency (https://github.com/pytorch/botorch/actions/runs/14734256627/job/41356188770) to a non-vulnerable version because of transitive dependencies. The upstream package was updated to use a non-vulnerable version but that isn't reflected in our existing lockfile. Deleting and regenerating resolves this.

Relevant discussion in Docusaurus issue thread: facebook/docusaurus#10491 (comment)

Test Plan:

Before:
```
(venv) ~/Projects/botorch/website (main ✔) yarn audit
yarn audit v1.22.22
warning package.json: No license field
warning ../../../package.json: No license field
warning No license field
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ Unpatched `path-to-regexp` ReDoS in 0.1.x                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ path-to-regexp                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.1.12                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @docusaurus/core                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @docusaurus/core > webpack-dev-server > express >            │
│               │ path-to-regexp                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1101844                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ Unpatched `path-to-regexp` ReDoS in 0.1.x                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ path-to-regexp                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.1.12                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @docusaurus/preset-classic                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @docusaurus/preset-classic > @docusaurus/core >              │
│               │ webpack-dev-server > express > path-to-regexp                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1101844                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ Unpatched `path-to-regexp` ReDoS in 0.1.x                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ path-to-regexp                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.1.12                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @docusaurus/preset-classic                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @docusaurus/preset-classic > @docusaurus/plugin-content-blog │
│               │ > @docusaurus/core > webpack-dev-server > express >          │
│               │ path-to-regexp                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1101844                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ Unpatched `path-to-regexp` ReDoS in 0.1.x                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ path-to-regexp                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.1.12                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @docusaurus/preset-classic                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @docusaurus/preset-classic > @docusaurus/theme-classic >     │
│               │ @docusaurus/plugin-content-blog > @docusaurus/core >         │
│               │ webpack-dev-server > express > path-to-regexp                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1101844                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
4 vulnerabilities found - Packages audited: 1477
Severity: 4 High
✨  Done in 1.42s.
```

After:
```
(venv) ~/Projects/botorch/website (main ✔) rm yarn.lock

(venv) ~/Projects/botorch/website (main ✗) yarn && yarn audit
yarn install v1.22.22
warning package.json: No license field
warning ../../../package.json: No license field
info No lockfile found.
warning No license field
[1/4] 🔍  Resolving packages...
warning @docusaurus/core > del > [email protected]: Rimraf versions prior to v4 are no longer supported
warning @docusaurus/core > webpack-dev-server > [email protected]: Rimraf versions prior to v4 are no longer supported
warning @docusaurus/core > shelljs > [email protected]: Glob versions prior to v9 are no longer supported
warning @docusaurus/core > del > rimraf > [email protected]: Glob versions prior to v9 are no longer supported
warning @docusaurus/core > react-dev-utils > fork-ts-checker-webpack-plugin > [email protected]: Glob versions prior to v9 are no longer supported
warning @docusaurus/core > shelljs > glob > [email protected]: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
warning @docusaurus/core > react-dev-utils > fork-ts-checker-webpack-plugin > [email protected]: this will be v4
warning @docusaurus/core > webpack-dev-server > webpack-dev-middleware > [email protected]: this will be v4
warning plotly.js > color-rgba > color-space > [email protected]: Redundant dependency in your project.
[2/4] 🚚  Fetching packages...
warning Pattern ["react-helmet-async@npm:@slorber/react-helmet-async@*"] is trying to unpack in the same destination "/Users/cristianlara/Library/Caches/Yarn/v6/npm-react-helmet-async-1.3.0-11fbc6094605cf60aa04a28c17e0aab894b4ecff-integrity/node_modules/react-helmet-async" as pattern ["react-helmet-async@npm:@slorber/[email protected]","react-helmet-async@^1.3.0"]. This could result in non-deterministic behavior, skipping.
[3/4] 🔗  Linking dependencies...
warning " > @docusaurus/[email protected]" has unmet peer dependency "@mdx-js/react@^3.0.0".
warning "@docusaurus/core > [email protected]" has unmet peer dependency "react-loadable@*".
warning "@docusaurus/core > react-dev-utils > [email protected]" has unmet peer dependency "typescript@>= 2.7".
warning "@docusaurus/core > @docusaurus/mdx-loader > @mdx-js/mdx > recma-jsx > [email protected]" has unmet peer dependency "acorn@^6.0.0 || ^7.0.0 || ^8.0.0".
warning "@docusaurus/preset-classic > @docusaurus/theme-classic > @mdx-js/[email protected]" has unmet peer dependency "@types/react@>=16".
warning "@docusaurus/preset-classic > @docusaurus/theme-search-algolia > @docsearch/react > @algolia/[email protected]" has unmet peer dependency "@algolia/client-search@>= 4.9.1 < 6".
warning "@docusaurus/preset-classic > @docusaurus/theme-search-algolia > @docsearch/react > @algolia/autocomplete-core > @algolia/[email protected]" has unmet peer dependency "@algolia/client-search@>= 4.9.1 < 6".
warning "@docusaurus/preset-classic > @docusaurus/theme-search-algolia > @docsearch/react > @algolia/autocomplete-core > @algolia/[email protected]" has unmet peer dependency "search-insights@>= 1 < 3".
warning "plotly.js > [email protected]" has unmet peer dependency "webpack@^5.27.0".
warning "plotly.js > @plotly/mapbox-gl > @mapbox/[email protected]" has unmet peer dependency "mapbox-gl@>=0.32.1 <2.0.0".
[4/4] 🔨  Building fresh packages...
success Saved lockfile.
✨  Done in 34.94s.

yarn audit v1.22.22
warning package.json: No license field
warning ../../../package.json: No license field
warning No license field
0 vulnerabilities found - Packages audited: 1482
✨  Done in 0.70s.
```
@facebook-github-bot facebook-github-bot added the CLA Signed Do not delete this pull request or issue due to inactivity. label Apr 30, 2025
@CristianLara CristianLara changed the title Yarn: Regernate lockfile to unblock dependabot Yarn: Regenernate lockfile to unblock dependabot Apr 30, 2025
@CristianLara CristianLara changed the title Yarn: Regenernate lockfile to unblock dependabot Yarn: Regenerate lockfile to unblock dependabot Apr 30, 2025
@facebook-github-bot
Copy link
Contributor

@CristianLara has imported this pull request. If you are a Meta employee, you can view this diff on Phabricator.

@codecov Codecov
Copy link

codecov bot commented Apr 30, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 100.00%. Comparing base (570d302) to head (ef492c2).
Report is 1 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff            @@
##              main     #2837   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files          211       211           
  Lines        19320     19320           
=========================================
  Hits         19320     19320

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@facebook-github-bot
Copy link
Contributor

@CristianLara merged this pull request in ed2e5c0.

@Balandat Balandat deleted the regenerate-lockfile-yarn-audit branch April 30, 2025 22:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@saitcakmak saitcakmak saitcakmak approved these changes

Assignees
No one assigned
Labels
CLA Signed Do not delete this pull request or issue due to inactivity. Merged
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@CristianLara @facebook-github-bot @saitcakmak