Skip to content

Fix recommended security vulnerabilities and upgrade lerna to v8.2.2 #24

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Jul 25, 2025
Merged

Fix recommended security vulnerabilities and upgrade lerna to v8.2.2 #24

merged 5 commits into from
Jul 25, 2025

Conversation

Patel-Raj
Copy link
Contributor

@Patel-Raj Patel-Raj commented Apr 16, 2025
edited
Loading

Upgraded lerna to v8.2.2 and followed the changelog to fix breaking changes if any for both v7.0.0 and v8.0.0. Ran npx lerna repair as suggested in changelog.

Ran npm audit fix to fix the recommended security vulnerabilities from semgrep

  1. node_modules/word-wrap
  2. node_modules/ejs
  3. node_modules/micromatch
  4. node_modules/@octokit/request-error

Fixed test.yml workflow to use actions/setup-node@v4 and actions/checkout@v4 actions and default to Node 18 while running the tests and only execute on pull requests, merge to master and manually trigger.

Output:
run npm fund for details
found 0 vulnerabilities

@Patel-Raj Patel-Raj requested a review from ledhed2222 as a code owner April 16, 2025 18:07
@socket-security Socket Security
Copy link

socket-security bot commented Apr 16, 2025
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedlerna@​6.6.1 ⏵ 8.2.29810082 +190 +1100

View full report

@Patel-Raj Patel-Raj requested a review from pdp2121 April 16, 2025 19:27
pdp2121
pdp2121 approved these changes Apr 16, 2025
View reviewed changes
Copy link
Collaborator

@pdp2121 pdp2121 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@Patel-Raj Patel-Raj requested a review from justinr1234 April 17, 2025 13:02
@mvadari
Copy link

mvadari commented Apr 18, 2025

FYI be careful with lerna upgrades - one lerna upgrade on xrpl.js made us unable to publish new versions

@Patel-Raj11
Copy link
Collaborator

FYI be careful with lerna upgrades - one lerna upgrade on xrpl.js made us unable to publish new versions

@mvadari I was thinking of testing the lerna version update change by releasing @xrplf/eslint-config and @xrplf/prettier-config from my fork to my private npm registry. Do you have any better suggestion to test this?

@mvadari
Copy link

mvadari commented Jul 3, 2025

@Patel-Raj11 that's probably the best way. Glad you're testing - the last time we tried major-upgrading Lerna (from 4.x to 6.x on the JS repos IIRC) we weren't able to release later 😬

@Patel-Raj11
Copy link
Collaborator

@mvadari I tested releasing packages using lerna v8 here. It worked fine. Added capability to independently version and release sub packages in 3084bf6.

@Patel-Raj11 Patel-Raj11 merged commit ef182bd into master Jul 25, 2025
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@khancode khancode khancode approved these changes

@pdp2121 pdp2121 pdp2121 approved these changes

@achowdhry-ripple achowdhry-ripple achowdhry-ripple approved these changes

@ledhed2222 ledhed2222 Awaiting requested review from ledhed2222 ledhed2222 is a code owner

@justinr1234 justinr1234 Awaiting requested review from justinr1234

+1 more reviewer

@mvadari mvadari mvadari approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@Patel-Raj @mvadari @Patel-Raj11 @khancode @pdp2121 @achowdhry-ripple