Skip to content

fix: Replace unmaintained useragent with ua-parser-js #595

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 10 commits into
base: master
Choose a base branch
from
Open

fix: Replace unmaintained useragent with ua-parser-js #595

wants to merge 10 commits into from

Conversation

NERDHEAD-lab
Copy link

@NERDHEAD-lab NERDHEAD-lab commented Aug 8, 2025
edited by cubic-dev-ai bot
Loading

Checklist

  • I ran the linting and formatting tools (ESLint and Prettier)

Closes #[ISSUE_NUMBER]

Overview

This PR addresses a reported tmp package security vulnerability by replacing the unmaintained useragent library with ua-parser-js.

Changes

  • Removal of useragent library:
    • Uninstalled useragent and @types/useragent packages.
    • Cleaned up related dependencies in package.json and package-lock.json.
  • Introduction of ua-parser-js library:
    • Installed ua-parser-js and @types/ua-parser-js packages.
  • Codebase Updates:
    • src/hot-reload/HotReloaderServer.ts: Updated user agent parsing logic to use UAParser instead of useragent.
    • src/hot-reload/SignEmitter.ts: Simplified the SignEmitter constructor to accept only necessary browser information (name, version) from the UAParser.IResult object, and adjusted related logic.
    • specs/SignEmitter.specs.ts: Completely refactored the test suite to align with ua-parser-js types and the updated SignEmitter constructor signature, moving away from useragent dependencies.
  • Type Definition File Update:
    • The type definition in typings/webpack-ext-reloader.d.ts has been updated to a more structured format. This change was automatically applied during dependency updates and maintains backward compatibility for the public API. [377cd3f]

Motivation

An npm audit report identified a security vulnerability in the tmp package, a dependency of useragent. As useragent is no longer actively maintained, replacing it with a modern and actively maintained alternative like ua-parser-js was necessary to
resolve this issue and enhance the project's security posture.

Impact

  • Backward Compatibility: The SignEmitter class is an internal implementation detail of the library, so there are no API changes for external users. Backward compatibility is maintained.
  • Security: The security vulnerability related to the tmp package has been resolved.

Testing

The changes have been successfully built and tested using the following commands:

  • npm run build
  • npm run test
  • npm run lint
  • npm run format

Summary by cubic

Replaced the unmaintained useragent library with ua-parser-js to fix a security vulnerability and update user agent parsing logic.

  • Dependencies

  • Removed useragent and @types/useragent.

  • Added ua-parser-js and @types/ua-parser-js.

  • Refactors

  • Updated HotReloaderServer and SignEmitter to use ua-parser-js for browser info.

  • Refactored related tests and type definitions for compatibility.

@NERDHEAD-lab
feat: Replace useragent with ua-parser-js to address security vulnera…
7a66b94 
…bility

Replaced the deprecated 'useragent' package with 'ua-parser-js' to resolve the 'tmp' package security vulnerability reported by 'npm audit'.

- Uninstalled 'useragent' and '@types/useragent'.
- Installed 'ua-parser-js'.
- Updated 'src/hot-reload/HotReloaderServer.ts' to use 'UAParser' for user agent parsing.
- Updated 'src/hot-reload/SignEmitter.ts' to use 'UAParser.IResult' and extract browser information.
- Refactored 'specs/SignEmitter.specs.ts' to align with 'ua-parser-js' types and 'SignEmitter' constructor changes.
@NERDHEAD-lab
chore: Clean up package-lock.json and update type definitions
c40141e 
- Removed 'useragent-ng' entry from 'package-lock.json' by re-generating it.
- Included changes to 'typings/webpack-ext-reloader.d.ts' which reflect a more structured type definition, ensuring backward compatibility.
@NERDHEAD-lab
chore: Update webpack-ext-reloader type definitions
377cd3f 
Refactor type declarations in 'typings/webpack-ext-reloader.d.ts' to a more structured format. This change was automatically applied during dependency updates and maintains backward compatibility for the public API.
@NERDHEAD-lab
chore: update ESLint and Prettier
85b2956
@NERDHEAD-lab NERDHEAD-lab mentioned this pull request Aug 8, 2025
Open
2 tasks
@NERDHEAD-lab
Copy link
Author

NERDHEAD-lab commented Aug 8, 2025
edited
Loading

Hi @vialoh,

I've put this PR together to migrate from the unmaintained useragent library to a more current one, ua-parser-js.

This change should also resolve the npm audit issues that seem to be causing CI workflow failures, which could help unblock a number of other PRs.

Finally, I also corrected some tangled type definitions that seemed incorrect. This might be related to the problem described in #583. Hope this helps!

@NERDHEAD-lab
chore: update dependencies
b03c5de 
 @babel/core                           7.26.0  →   7.28.0
 @babel/eslint-parser                  7.25.9  →   7.28.0
 @babel/plugin-transform-regenerator   7.25.9  →   7.28.1
 @babel/preset-env                     7.26.0  →   7.28.0
 @types/chai                           4.3.20  →    5.2.2
 @types/lodash                        4.17.12  →  4.17.20
 @types/mocha                          10.0.9  →  10.0.10
 @types/sinon                          17.0.3  →   17.0.4
 @types/webextension-polyfill         ^0.12.0  →  ^0.12.3
 @types/ws                             8.5.12  →   8.18.1
 @typescript-eslint/eslint-plugin      6.21.0  →   8.39.0
 @typescript-eslint/parser             6.21.0  →   8.39.0
 autoprefixer                         10.4.20  →  10.4.21
 babel-loader                           9.2.1  →   10.0.0
 chai                                   4.5.0  →    5.2.1
 copy-webpack-plugin                   11.0.0  →   13.0.0
 cross-env                             ^7.0.3  →  ^10.0.0
 css-loader                            6.11.0  →    7.1.2
 eslint                                8.57.1  →   9.33.0
 eslint-config-prettier                 9.1.0  →   10.1.8
 eslint-plugin-import                  2.31.0  →   2.32.0
 eslint-plugin-jsx-a11y                6.10.1  →   6.10.2
 eslint-plugin-prettier                 5.2.1  →    5.5.4
 eslint-plugin-react                   7.37.2  →   7.37.5
 eslint-plugin-react-hooks              4.6.2  →    5.2.0
 husky                                  8.0.3  →    9.1.7
 lint-staged                          15.2.10  →   16.1.5
 mini-css-extract-plugin                2.9.1  →    2.9.3
 mocha                                 10.7.3  →   11.7.1
 prettier                               3.3.3  →    3.6.2
 sinon                                 17.0.1  →   21.0.0
 style-loader                           3.3.4  →    4.0.0
 ts-loader                              9.5.1  →    9.5.2
 typescript                             5.6.3  →    5.9.2
 webpack                               5.95.0  →  5.101.0
 webpack-cli                            5.1.4  →    6.0.1
 webpack-sources                       ^3.2.3  →   ^3.3.3
 ws                                   ^8.14.2  →  ^8.18.3
@NERDHEAD-lab
fix(build): Resolve build errors after dependency updates
ed8601a 
This commit resolves multiple TypeScript and Webpack-related build errors that appeared after updating dependencies to their latest versions.

- Fixes the `OutputNormalized` type error (TS2739) in `manifest.ts` due to stricter types in the latest Webpack.
- Resolves the type definition (.d.ts) module resolution error (TS2306) by separating internal types into `internal.d.ts` while maintaining external compatibility.
- Adds type definitions for the `source-map-support` package to resolve TS7016.
- Modernizes the module export in `index.ts` to use the standard `export default`.
@NERDHEAD-lab
chore(config): Migrate to ESLint v9 and Flat Config
43a2317 
- Migrates the legacy .eslintrc.js to the new eslint.config.js standard (Flat Config).
  - Remove legacy `.eslintrc.js` and `.eslintignore`.
  - Add `eslint.config.js` using the Flat Config format.
@NERDHEAD-lab
chore(lint): cleanup unused eslint-disable comments
df8ed6d
@NERDHEAD-lab
Copy link
Author

NERDHEAD-lab commented Aug 9, 2025
edited
Loading

Hi @vialoh,

I’m adding this comment to explain the additional work that was included after the initial PR changes.

Updated project dependencies - b03c5de

Package Version Change Associated
@babel/core 7.26.0 → 7.28.0 #573
@babel/eslint-parser 7.25.9 → 7.28.0 #573
@babel/plugin-transform-regenerator 7.25.9 → 7.28.1 #573
@babel/preset-env 7.26.0 → 7.28.0 #573
@types/chai 4.3.20 → 5.2.2 none
@types/lodash 4.17.12 → 4.17.20 #573
@types/mocha 10.0.9 → 10.0.10 #573
@types/sinon 17.0.3 → 17.0.4 #573
@types/webextension-polyfill ^0.12.0 → ^0.12.3 #573
@types/ws 8.5.12 → 8.18.1 #573
@typescript-eslint/eslint-plugin 6.21.0 → 8.39.0 #481
@typescript-eslint/parser 6.21.0 → 8.39.0 #481
autoprefixer 10.4.20 → 10.4.21 #573
babel-loader 9.2.1 → 10.0.0 #579
chai 4.5.0 → 5.2.1 #467
copy-webpack-plugin 11.0.0 → 13.0.0 #580
cross-env ^7.0.3 → ^10.0.0 #594
css-loader 6.11.0 → 7.1.2 #489
eslint 8.57.1 → 9.33.0 #499
eslint-config-prettier 9.1.0 → 10.1.8 #573, #578
eslint-plugin-import 2.31.0 → 2.32.0 #573
eslint-plugin-jsx-a11y 6.10.1 → 6.10.2 #573
eslint-plugin-prettier 5.2.1 → 5.5.4 #573
eslint-plugin-react 7.37.2 → 7.37.5 #573
eslint-plugin-react-hooks 4.6.2 → 5.2.0 #566
husky 8.0.3 → 9.1.7 none
lint-staged 15.2.10 → 16.1.5 #573, #584
mini-css-extract-plugin 2.9.1 → 2.9.3 #573
mocha 10.7.3 → 11.7.1 #573, #576
prettier 3.3.3 → 3.6.2 #573
sinon 17.0.1 → 21.0.0 #585
style-loader 3.3.4 → 4.0.0 #492
ts-loader 9.5.1 → 9.5.2 #573
typescript 5.6.3 → 5.9.2 #573
webpack 5.95.0 → 5.101.0 #573
webpack-cli 5.1.4 → 6.0.1 #577
webpack-sources ^3.2.3 → ^3.3.3 #573
ws ^8.14.2 → ^8.18.3 #573

Resolve build errors after dependency updates - ed8601a

This commit resolves multiple TypeScript and Webpack-related build errors that appeared after updating dependencies to their latest versions.

  • Fixes the OutputNormalized type error (TS2739) in manifest.ts due to stricter types in the latest Webpack.
  • Resolves the type definition (.d.ts) module resolution error (TS2306) by separating internal types into internal.d.ts while maintaining external compatibility.
  • Adds type definitions for the source-map-support package to resolve TS7016.
  • Modernizes the module export in index.ts to use the standard export default.

Migrate to ESLint v9 and Flat Config - 43a2317

  • Migrates the legacy .eslintrc.js to the new eslint.config.js standard (Flat Config).
    • Remove legacy .eslintrc.js and .eslintignore.
    • Add eslint.config.js using the Flat Config format.

Etc.

  • df8ed6d - chore(lint): cleanup unused eslint-disable comments

@NERDHEAD-lab
Copy link
Author

Hello @rushilsrivastava,

I hope you don't mind me reaching out directly. As a member of Simplify Jobs Inc., I thought you might be able to provide some guidance.

I've submitted a pull request for this repository.

This pull request primarily addresses a reported security vulnerability by replacing the unmaintained 'useragent' library with 'ua-parser-js'.
As part of this update, I also took the opportunity to modernize the development environment by updating all other dependencies to their latest versions and migrating the entire ESLint configuration to v9.

Since this is my first contribution here, I'm unsure of the review process. Would you be the right person to review these changes, or could you kindly suggest who might be?

Any help would be greatly appreciated. Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@NERDHEAD-lab