Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(*): Update dependencies to resolve security alerts #2983

Merged
merged 2 commits into from Mar 15, 2024
Merged

fix(*): Update dependencies to resolve security alerts #2983

merged 2 commits into from Mar 15, 2024

Conversation

dimkl
Copy link
Member

@dimkl dimkl commented Mar 12, 2024

Description

Investigate and fix dependabot security alerts and results from npm audit.

Checklist

  • npm test runs as expected.
  • npm run build runs as expected.
  • (If applicable) JSDoc comments have been added or updated for any package exports
  • (If applicable) Documentation has been updated

Type of change

  • 馃悰 Bug fix
  • 馃専 New feature
  • 馃敤 Breaking change
  • 馃摉 Refactoring / dependency upgrade / documentation
  • other:

@dimkl dimkl requested a review from nikosdouvlis March 12, 2024 17:21
@dimkl dimkl self-assigned this Mar 12, 2024
@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Mar 12, 2024
edited

馃 Changeset detected

Latest commit: 4489e88

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
@clerk/nextjs Minor

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@dimkl dimkl requested review from LekoArts and anagstef March 13, 2024 12:20
@dimkl dimkl force-pushed the sdk-1491-fix-dependabot branch 3 times, most recently from 769f6d0 to 6446c22 Compare March 13, 2024 12:44
@dimkl
Copy link
Member Author

dimkl commented Mar 13, 2024

I had some issues with "List node_modules" of our GH action when updating the miniflare and tslib libraries. I resolved it by installing those packages specifically in each package directory.
Screenshot 2024-03-13 at 15 28 40

Example run: https://github.com/clerk/javascript/actions/runs/8264832463/job/22609252010?pr=2983

@dimkl
Copy link
Member Author

dimkl commented Mar 13, 2024

I changed the miniflare to 2.4.12 instead of 3.20240304.0 since the tests broke due to the following error:

Disallowed operation called within global scope. Asynchronous I/O (ex: fetch() or connect())....

@dimkl dimkl changed the title fix(*): Update dependencies to resolve secutiry alerts fix(*): Update dependencies to resolve security alerts Mar 13, 2024
@dimkl dimkl requested a review from anagstef March 14, 2024 18:54
nikosdouvlis
nikosdouvlis approved these changes Mar 14, 2024
View reviewed changes
packages/nextjs/package.json
"typescript": "*"
},
"peerDependencies": {
"next": "^13.0.4 || ^14.0.3",
"next": "^13.5.4 || ^14.0.3",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is this a "breaking" change?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nikosdouvlis yes, kind of.
if this is for the changeset entry, i guess it's better to change it to major. Since we are in a pre-release tag, it's okay.
I think that customers who want to Clerk with NextJS in production would probably have a newer @13 version with all the security updates.
Wdyt?

LekoArts
LekoArts requested changes Mar 15, 2024
View reviewed changes
packages/elements/package.json Outdated Show resolved Hide resolved
@dimkl
fix(elements): Resolve issue with rollup linux missing dependency
4489e88 
Error: Cannot find module @rollup/rollup-linux-x64-gnu. npm has a bug related to optional dependencies (npm/cli#4828). Please try `npm i` again after removing both package-lock.json and node_modules directory.
@dimkl dimkl enabled auto-merge (squash) March 15, 2024 10:39
@dimkl dimkl merged commit 980a56c into main Mar 15, 2024
9 checks passed
@dimkl dimkl deleted the sdk-1491-fix-dependabot branch March 15, 2024 10:43
@clerk-cookie clerk-cookie mentioned this pull request Mar 14, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tmilewski tmilewski tmilewski approved these changes

@nikosdouvlis nikosdouvlis nikosdouvlis approved these changes

@LekoArts LekoArts LekoArts approved these changes

@anagstef anagstef Awaiting requested review from anagstef

Assignees

@dimkl dimkl

Labels
backend elements expo integration nextjs sdk-node
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@dimkl @tmilewski @nikosdouvlis @anagstef @LekoArts @clerk-cookie