chore: Bump dependencies to reduce vulnerabilities in /ui #4654
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This resolves a vulnerability in word-wrap: GHSA-j8xg-fqg3-53r7. Signed-off-by: Harri Lehtola <[email protected]>
The older version depended on taffydb that has a vulnerability with no patched version available. The latest version no longer uses it. Signed-off-by: Harri Lehtola <[email protected]>
This resolves 1 critical and 1 high level vulnerability in @xmldom/xmldom and path-to-regexp. Signed-off-by: Harri Lehtola <[email protected]>
This resolves 1 high and 9 moderate level vulnerabilities reported by `yarn audit`. Signed-off-by: Harri Lehtola <[email protected]>
This resolves 16 high level vulnerabilities reported by `yarn audit`. Signed-off-by: Harri Lehtola <[email protected]>
"defaults" (https://browsersl.ist/#q=defaults) is the recommended starting point these days, it's a shorthand for "> 0.5%, last 2 versions, Firefox ESR, not dead". Using it gets rid of a couple autoprefixer related warnings that started appearing after dependency updates. Check the previous production configuration at https://browsersl.ist/#q=%3E0.2%25%2C+not+dead%2C+not+op_mini+all if you want to compare what changed. Signed-off-by: Harri Lehtola <[email protected]>
This resolves 2 critical, 11 high, 7 moderate and 1 low level vulnerability reported by `yarn audit`. @babel/plugin-proposal-private-property-in-object is added to devDependencies due to this warning when running the tests: > One of your dependencies, babel-preset-react-app, is importing the > "@babel/plugin-proposal-private-property-in-object" package without > declaring it in its dependencies. This is currently working because > "@babel/plugin-proposal-private-property-in-object" is already in your > node_modules folder for unrelated reasons, but it may break at any time. > > babel-preset-react-app is part of the create-react-app project, which > is not maintianed (sic) anymore. It is thus unlikely that this bug will > ever be fixed. Add "@babel/plugin-proposal-private-property-in-object" to > your devDependencies to work around this error. This will make this message > go away. Signed-off-by: Harri Lehtola <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What this PR does / why we need it:
Bump several dependencies to reduce the number of vulnerabilities reported by
yarn auditfrom 57 to 3.Before:
After:
The remaining vulnerabilities are:
The
cookieone comes viamswthat is only used in tests and actively developed and has a related issue, so I would expect it to be resolved in an update in the near future.The other two could potentially be resolved with yarn's resolutions, but they are only used during build time, so they should not be a concern in practice. Furthermore, we should try to get rid of
react-scriptsanyway since it's no longer maintained, and the two vulnerabilities should become obsolete with that.Which issue(s) this PR fixes:
This is related to #4451, but it's debatable whether this resolves it for now, maybe not.
Misc
After upgrading the babel packages, I started seeing the problem in babel/babel#16716, but removing
node_modulesas suggested in babel/babel#16716 (comment) fixed it. 🤷I split the upgrades into several commits, and some commit messages have additional details about non-trivial changes, especially the last two.