Skip to content

W-11125834 Bump dependencies#77

Merged
spelak-salesforce merged 2 commits intomasterfrom
feature/dependabot
May 12, 2022
Merged

W-11125834 Bump dependencies#77
spelak-salesforce merged 2 commits intomasterfrom
feature/dependabot

Conversation

@spelak-salesforce
Copy link
Copy Markdown
Contributor

@spelak-salesforce spelak-salesforce commented May 10, 2022
edited by mldyang
Loading

GUS W-11125834

Fixes dependabot issues:

Critical Changes

Changes

Issues Closed

New Metadata

Deleted Metadata

Definition of Done

Refer to Definition of Done to see any additional details for the items below:

  • Any net new LWC work has JEST test coverage 50% or above
  • Default Sa11y tests pass for all LWC components
  • 🔒 Secure both Front-end (LWC) & back-end (Apex) as necessary
  • 🔑 Grant users access in Permission Sets (Object, Field, Apex Class) as necessary
  • Link the pull request and work item by PR comment and Chatter post respectively, e.g. GUS: W-0000000: Work Name
  • Make sure that ACs are updated (if any gaps)
  • All acceptance criteria have been met
    • Developer
    • Code Reviewer
  • Pull Request contains draft release notes
  • Labels, help text, and customer facing messages are reviewed by Docs
  • QE story level testing completed

@spelak-salesforce
W-11125834 Bump dependencies
28751dc 
Fix dependabot issues #1, #2, #4, #6
@spelak-salesforce spelak-salesforce requested a review from a team as a code owner May 10, 2022 16:59
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 10, 2022

Hi 👋 @spelak-salesforce! Release Engineering asks that teams use the following process for routine reviews:

  1. After creating a non-draft pull request that includes automation updates, a release engineer will be auto-assigned to the PR.
  2. When dev review is complete and the PR is ready for the release engineer to review, add a "ready for RE review" label to the PR to let us know when the PR is ready for us to review.
  3. If you've added the "ready for RE review" label but haven't received a review within a 36 hours, @-mention the assigned RE in a comment on the PR.
  4. If you don't receive a response from the assigned RE by the end of the next business day (or your request is urgent), post a message to #sfdo-releng-support that includes a link to this PR and one of us will review as soon as we're able.

@spelak-salesforce spelak-salesforce self-assigned this May 10, 2022
@spelak-salesforce spelak-salesforce added the ready for RE review Ready for Developer review label May 10, 2022
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 10, 2022

This PR has been labeled as ready for Release Engineering review by
@spelak-salesforce. Reviews have been requested from: @davidjray.

spelak-salesforce
spelak-salesforce commented May 10, 2022
View reviewed changes
Comment thread yarn.lock
decamelize "^1.2.0"

yargs-parser@^20.2.2:
yargs-parser@^10.0.0, yargs-parser@^18.1.2, yargs-parser@^20.2.2, yargs-parser@^21.0.0:
Copy link
Copy Markdown
Contributor Author

@spelak-salesforce spelak-salesforce May 10, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixes dependabot issue Prototype Pollution in yargs-parser #1 by forcing all yargs-parser implementations to use a safe version.

spelak-salesforce
spelak-salesforce commented May 10, 2022
View reviewed changes
Comment thread yarn.lock
version "1.14.5"
resolved "https://registry.yarnpkg.com/follow-redirects/-/follow-redirects-1.14.5.tgz#f09a5848981d3c772b5392309778523f8d85c381"
integrity sha512-wtphSXy7d4/OR+MvIFbCVBDzZ5520qV8XfPklSN5QtxuMUJZ+b0Wnst1e1lCDocfzuCkHqj8k0FpZqO+UIaKNA==
version "1.15.0"
Copy link
Copy Markdown
Contributor Author

@spelak-salesforce spelak-salesforce May 10, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixes dependabot issue Exposure of sensitive information in follow-redirects #2.

Copy link
Copy Markdown
Contributor Author

@spelak-salesforce spelak-salesforce May 10, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also fixes dependabot issue Exposure of Sensitive Information to an Unauthorized Actor in follow-redirects #4.

spelak-salesforce
spelak-salesforce commented May 10, 2022
View reviewed changes
Comment thread yarn.lock
resolved "https://registry.yarnpkg.com/minimist/-/minimist-1.2.5.tgz#67d66014b66a6a8aaa0c083c5fd58df4e4e97602"
integrity sha512-FM9nNUYrRBAELZQT3xeZQ7fmMOBg6nWNmJKTcgsJeaLstP/UODVpGsr5OhXhhXg6f+qtJ8uiZ+PUxkDWcgIXLw==
minimist@^1.1.1, minimist@^1.2.0, minimist@^1.2.5, minimist@^1.2.6:
version "1.2.6"
Copy link
Copy Markdown
Contributor Author

@spelak-salesforce spelak-salesforce May 10, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixes dependabot issue Prototype Pollution in minimist #6.

@spelak-salesforce spelak-salesforce added the Ready for QE Approved and ready for testing label May 10, 2022
@spelak-salesforce
Forces resolution of trim-newlines
f23e916 
trim-newlines has a [vulnerability](https://github.com/SalesforceFoundation/OutboundFundsModule/security/dependabot/2)
for versions less than 3.0.1.  Version 2.X was being used, so we force
the resolution of a safe version.
@mldyang mldyang self-requested a review May 12, 2022 14:02
@mldyang
Copy link
Copy Markdown
Contributor

mldyang commented May 12, 2022

Hi @davidjray this PR is ready for RE review. Can you please take a look when you get the chance? Thank you.

@mldyang mldyang added Integrate All reviews are complete and removed Ready for QE Approved and ready for testing labels May 12, 2022
jstvz
jstvz approved these changes May 12, 2022
View reviewed changes
Copy link
Copy Markdown
Member

@jstvz jstvz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CODEOWNERS 🆗

@jstvz jstvz removed the ready for RE review Ready for Developer review label May 12, 2022
@spelak-salesforce spelak-salesforce merged commit 1099316 into master May 12, 2022
@spelak-salesforce spelak-salesforce deleted the feature/dependabot branch May 12, 2022 19:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jstvz jstvz jstvz approved these changes

@mldyang mldyang mldyang approved these changes

@davidjray davidjray Awaiting requested review from davidjray davidjray is a code owner automatically assigned from SalesforceFoundation/release-engineering-reviewers

Assignees

@spelak-salesforce spelak-salesforce

Labels

Integrate All reviews are complete

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@spelak-salesforce @mldyang @jstvz