Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Jest-related dependencies to latest version (v27) to address npm audit problems #9004

Merged
merged 3 commits into from
Nov 4, 2021
Merged

Update Jest-related dependencies to latest version (v27) to address npm audit problems #9004

merged 3 commits into from
Nov 4, 2021

Conversation

benjamn
Copy link
Member

@benjamn benjamn commented Nov 4, 2021
edited
Loading

Jest 27.0.0 was a significant major release with a number of breaking changes, so it's no surprise PRs like #8477 are failing. This PR is my manual attempt to address all of the hurdles involved in updating.

Closes #8324, #8841, #8910, #8325, #8477

The necessary changes fall into a few different categories:

  • Reenabling the jsdom environment so tests running in Node.js have access to mock window and document objects (one-line change in config/jest.config.js)
  • Tolerating the disappearance of testing utilities like done.fail and the global fail function (many similar changes, mostly converting done-style tests to use promises)
  • Switching from jest.runTimersToTime to the more accurately named jest.advanceTimersToTime

It might go without saying, but a huge shout-out to TypeScript for making this kind of migration relatively straightforward, compared to the painstaking care that would be required if this was all pure JavaScript.

Perhaps more importantly, these updates collectively resolve a number of high-severity security vulnerabilities (not confirmed to have any impact on @apollo/client, but worth addressing).

Before this PR (note how many of these problems are Jest-dependency-related):

~/dev/apollo-client % npm audit
# npm audit report

ansi-regex  >2.1.1 <5.0.1
Severity: moderate
 Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
fix available via `npm audit fix --force`
Will install jest-junit@13.0.0, which is a breaking change
node_modules/@jest/core/node_modules/ansi-regex
node_modules/@types/jest/node_modules/ansi-regex
node_modules/ansi-regex
node_modules/cliui/node_modules/ansi-regex
node_modules/jest-config/node_modules/ansi-regex
node_modules/jest-diff/node_modules/ansi-regex
node_modules/jest-each/node_modules/ansi-regex
node_modules/jest-jasmine2/node_modules/ansi-regex
node_modules/jest-leak-detector/node_modules/ansi-regex
node_modules/jest-matcher-utils/node_modules/ansi-regex
node_modules/jest-message-util/node_modules/ansi-regex
node_modules/jest-snapshot/node_modules/ansi-regex
node_modules/jest-validate/node_modules/ansi-regex
node_modules/pretty-format/node_modules/ansi-regex
node_modules/string-length/node_modules/ansi-regex
node_modules/wrap-ansi/node_modules/ansi-regex
node_modules/yargs/node_modules/ansi-regex
  pretty-format  20.1.0-alpha.1 - 25.0.0
  Depends on vulnerable versions of ansi-regex
  node_modules/@types/testing-library__dom/node_modules/pretty-format
    @types/testing-library__dom  6.0.2 - 6.14.0
    Depends on vulnerable versions of pretty-format
    node_modules/@types/testing-library__dom
      @testing-library/dom  6.15.0 - 7.1.0
      Depends on vulnerable versions of @types/testing-library__dom
      node_modules/@testing-library/dom
        @testing-library/react  9.5.0 - 10.0.0-beta.2
        Depends on vulnerable versions of @testing-library/dom
        node_modules/@testing-library/react
  strip-ansi  4.0.0 - 5.2.0
  Depends on vulnerable versions of ansi-regex
  node_modules/jest-junit/node_modules/strip-ansi
    jest-junit  2.0.1 - 12.3.0
    Depends on vulnerable versions of strip-ansi
    node_modules/jest-junit

set-value  <4.0.1
Severity: high
Prototype Pollution in set-value - https://github.com/advisories/GHSA-4jqc-8m5r-9rpr
fix available via `npm audit fix --force`
Will install jest@27.3.1, which is a breaking change
node_modules/set-value
  cache-base  >=0.7.0
  Depends on vulnerable versions of set-value
  Depends on vulnerable versions of union-value
  node_modules/cache-base
    base  >=0.7.0
    Depends on vulnerable versions of cache-base
    node_modules/base
      snapdragon  0.6.0 - 0.10.1
      Depends on vulnerable versions of base
      node_modules/snapdragon
        braces  2.0.0 - 2.3.2
        Depends on vulnerable versions of snapdragon
        node_modules/sane/node_modules/braces
        expand-brackets  1.0.0 - 2.1.4
        Depends on vulnerable versions of snapdragon
        node_modules/expand-brackets
        extglob  1.0.0 - 2.0.4
        Depends on vulnerable versions of snapdragon
        node_modules/extglob
        micromatch  3.0.0 - 3.1.10
        Depends on vulnerable versions of snapdragon
        node_modules/sane/node_modules/micromatch
          anymatch  2.0.0
          Depends on vulnerable versions of micromatch
          node_modules/sane/node_modules/anymatch
          sane  2.5.0 - 4.1.0
          Depends on vulnerable versions of micromatch
          node_modules/sane
            jest-haste-map  24.0.0-alpha.0 - 26.6.2
            Depends on vulnerable versions of sane
            node_modules/jest-haste-map
              @jest/core  <=26.6.3
              Depends on vulnerable versions of jest-config
              Depends on vulnerable versions of jest-haste-map
              Depends on vulnerable versions of jest-snapshot
              node_modules/@jest/core
                jest  24.2.0-alpha.0 - 26.6.3
                Depends on vulnerable versions of @jest/core
                Depends on vulnerable versions of jest-cli
                node_modules/jest
                  ts-jest  25.10.0-alpha.1 - 27.0.0-next.12
                  Depends on vulnerable versions of jest
                  node_modules/ts-jest
                jest-cli  24.2.0-alpha.0 - 26.6.3
                Depends on vulnerable versions of @jest/core
                Depends on vulnerable versions of jest-config
                node_modules/jest/node_modules/jest-cli
              @jest/reporters  <=26.6.2
              Depends on vulnerable versions of jest-haste-map
              node_modules/@jest/reporters
              @jest/test-sequencer  <=26.6.3
              Depends on vulnerable versions of jest-haste-map
              node_modules/@jest/test-sequencer
                jest-config  24.2.0-alpha.0 - 26.6.3
                Depends on vulnerable versions of @jest/test-sequencer
                Depends on vulnerable versions of babel-jest
                Depends on vulnerable versions of jest-jasmine2
                node_modules/jest-config
                  jest-runner  24.0.0-alpha.0 - 26.6.3
                  Depends on vulnerable versions of jest-config
                  Depends on vulnerable versions of jest-haste-map
                  node_modules/jest-runner
                  jest-runtime  24.0.0-alpha.0 - 26.6.3
                  Depends on vulnerable versions of @jest/transform
                  Depends on vulnerable versions of jest-config
                  Depends on vulnerable versions of jest-haste-map
                  Depends on vulnerable versions of jest-snapshot
                  node_modules/jest-runtime
                    jest-jasmine2  24.2.0-alpha.0 - 26.6.3
                    Depends on vulnerable versions of jest-runtime
                    Depends on vulnerable versions of jest-snapshot
                    node_modules/jest-jasmine2
              @jest/transform  <=26.6.2
              Depends on vulnerable versions of jest-haste-map
              node_modules/@jest/transform
                babel-jest  24.2.0-alpha.0 - 26.6.3
                Depends on vulnerable versions of @jest/transform
                node_modules/babel-jest
              jest-snapshot  24.2.0-alpha.0 - 24.5.0 || 26.1.0 - 26.6.2
              Depends on vulnerable versions of jest-haste-map
              node_modules/jest-snapshot
                jest-resolve-dependencies  26.1.0 - 26.6.3
                Depends on vulnerable versions of jest-snapshot
                node_modules/jest-resolve-dependencies
        nanomatch  >=0.1.1
        Depends on vulnerable versions of snapdragon
        node_modules/nanomatch
  union-value  *
  Depends on vulnerable versions of set-value
  node_modules/union-value

34 vulnerabilities (7 moderate, 27 high)

With this PR:

~/dev/apollo-client % npm audit
# npm audit report

ansi-regex  >2.1.1 <5.0.1
Severity: moderate
 Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
fix available via `npm audit fix --force`
Will install @testing-library/react@12.1.2, which is a breaking change
node_modules/ansi-regex
node_modules/pretty-format/node_modules/ansi-regex
  pretty-format  20.1.0-alpha.1 - 25.0.0
  Depends on vulnerable versions of ansi-regex
  node_modules/@types/testing-library__dom/node_modules/pretty-format
    @types/testing-library__dom  6.0.2 - 6.14.0
    Depends on vulnerable versions of pretty-format
    node_modules/@types/testing-library__dom
      @testing-library/dom  6.15.0 - 7.1.0
      Depends on vulnerable versions of @types/testing-library__dom
      node_modules/@testing-library/dom
        @testing-library/react  9.5.0 - 10.0.0-beta.2
        Depends on vulnerable versions of @testing-library/dom
        node_modules/@testing-library/react

5 moderate severity vulnerabilities

I will continue investigating what's necessary to get this number down to zero.

@benjamn benjamn added this to the Release 3.5 milestone Nov 4, 2021
@benjamn benjamn self-assigned this Nov 4, 2021
@benjamn
Copy link
Member Author

benjamn commented Nov 4, 2021

@brainkim The remaining 5 moderate severity vulnerabilities from npm audit would be solved by updating @testing-library/react from v9 to v12, but we don't have to do that right now.

@benjamn benjamn marked this pull request as ready for review November 4, 2021 20:07
@benjamn benjamn requested a review from brainkim November 4, 2021 20:07
benjamn
benjamn commented Nov 4, 2021
View reviewed changes
config/jest.config.js
@@ -17,4 +17,5 @@ module.exports = {
moduleFileExtensions: ['ts', 'tsx', 'js', 'json'],
testURL: 'http://localhost',
setupFiles: ['<rootDir>/config/jest/setup.ts'],
testEnvironment: 'jsdom',
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here's the change that reenables jsdom for all tests. Should we restrict it to the ones that actually need it?

benjamn
benjamn commented Nov 4, 2021
View reviewed changes
src/react/hoc/__tests__/subscriptions/subscriptions.test.tsx
jest.runTimersToTime(230);
jest.advanceTimersByTime(230);
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fortunately this was just a cosmetic change (renamed for clarity/accuracy): jestjs/jest#4723

brainkim
brainkim approved these changes Nov 4, 2021
View reviewed changes
Copy link
Contributor

@brainkim brainkim left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is cool! Failed tests mode is still not working in Jest 27 for me, but I’m happy to see this merged.

@benjamn benjamn merged commit f03a47a into release-3.5 Nov 4, 2021
@benjamn benjamn deleted the update-jest-dependencies-to-v27 branch November 4, 2021 20:45
@benjamn benjamn mentioned this pull request Nov 4, 2021
Merged
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 15, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@brainkim brainkim brainkim approved these changes

Assignees

@benjamn benjamn

Labels
🎄 dependencies 🧩 implementation-detail 👩‍🏭 refactor 🔐 security 🔬 testing-utilities 🛠 tooling ⛑ TypeScript
Projects
None yet
Milestone
Release 3.5
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@benjamn @brainkim