Webapp yarn updates #22489
Webapp yarn updates #22489
Conversation
jentfoo
added
security
|
Looks like |
package.json
Outdated
| @@ -38,5 +38,13 @@ | |||
| "web/packages/teleterm", | |||
| "e/web/**" | |||
| ] | |||
| }, | |||
| "dependencies": { | |||
There was a problem hiding this comment.
This doesn't seem right. These updates should probably go in the nested package.json files.
There was a problem hiding this comment.
Thank you for mentioning this. I was a little confused by this also.
This was committed as part of the yarn upgrade command, but I noticed the dependabot PR's did not have to do this. I was hoping someone could explain to me a reliable way to make sure the dependency is updated without making the package.json change.
What is the correct way to do this?
There was a problem hiding this comment.
So typically the dependabot upgrades will only be to sub-dependencies which is why you'll usually only see the version in the lockfile updated. There is no representation of that package in our project dependency list.
The correct way to apply the dependabot changes is to simply merge (or cherry-pick, then merge) the one-line changes to the yarn lock. And then to test locally you would run make clean-ui and yarn to install the new dependency version.
There was a problem hiding this comment.
Thank you @hatched, I removed these changes and applied the make clean-ui. Let me know how this looks now.
It was, I will update the branch with master when we get closer to being able to merge it. |
Bumps [nanoid](https://github.com/ai/nanoid) from 3.1.30 to 3.3.4. - [Release notes](https://github.com/ai/nanoid/releases) - [Changelog](https://github.com/ai/nanoid/blob/main/CHANGELOG.md) - [Commits](ai/nanoid@3.1.30...3.3.4) --- updated-dependencies: - dependency-name: nanoid dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [follow-redirects](https://github.com/follow-redirects/follow-redirects) from 1.14.5 to 1.15.2. - [Release notes](https://github.com/follow-redirects/follow-redirects/releases) - [Commits](follow-redirects/follow-redirects@v1.14.5...v1.15.2) --- updated-dependencies: - dependency-name: follow-redirects dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [node-fetch](https://github.com/node-fetch/node-fetch) from 2.6.6 to 2.6.9. - [Release notes](https://github.com/node-fetch/node-fetch/releases) - [Commits](node-fetch/node-fetch@v2.6.6...v2.6.9) --- updated-dependencies: - dependency-name: node-fetch dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [terser](https://github.com/terser/terser) from 4.8.0 to 4.8.1. - [Release notes](https://github.com/terser/terser/releases) - [Changelog](https://github.com/terser/terser/blob/master/CHANGELOG.md) - [Commits](terser/terser@v4.8.0...v4.8.1) --- updated-dependencies: - dependency-name: terser dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [protobufjs](https://github.com/protobufjs/protobuf.js) from 6.11.2 to 6.11.3. - [Release notes](https://github.com/protobufjs/protobuf.js/releases) - [Changelog](https://github.com/protobufjs/protobuf.js/blob/v6.11.3/CHANGELOG.md) - [Commits](protobufjs/protobuf.js@v6.11.2...v6.11.3) --- updated-dependencies: - dependency-name: protobufjs dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [plist](https://github.com/TooTallNate/node-plist) from 3.0.4 to 3.0.6. - [Release notes](https://github.com/TooTallNate/node-plist/releases) - [Changelog](https://github.com/TooTallNate/plist.js/blob/master/History.md) - [Commits](https://github.com/TooTallNate/node-plist/commits) --- updated-dependencies: - dependency-name: plist dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [minimist](https://github.com/minimistjs/minimist) from 1.2.5 to 1.2.8. - [Release notes](https://github.com/minimistjs/minimist/releases) - [Changelog](https://github.com/minimistjs/minimist/blob/main/CHANGELOG.md) - [Commits](minimistjs/minimist@v1.2.5...v1.2.8) --- updated-dependencies: - dependency-name: minimist dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Addresses dependabot issue: https://github.com/gravitational/teleport/security/dependabot/64 2.0.4 is needed for other CVE's, but starting with a lower risk change
This addresses the Dependabot alert: https://github.com/gravitational/teleport/security/dependabot/62
Addresses dependabot alert: https://github.com/gravitational/teleport/security/dependabot/57
Addresses Dependabot alert: https://github.com/gravitational/teleport/security/dependabot/47
Upgrade trim to address Dependabot alert: https://github.com/gravitational/teleport/security/dependabot/44
Yarn.lock de-duplication using this tool: https://www.npmjs.com/package/yarn-deduplicate Duplicates are pretty high after prior upgrades. I feel this will make our current dependent versions more clear.
jentfoo
force-pushed
the
jent/yarn_updates
branch
from
b76cf5d
to
6c678c5
Compare
public-teleport-github-review-bot
bot
removed request for
wadells,
jimbishopp,
rosstimothy and
adaadb6
This PR provides an initial set of updates that hopefully will be safe. It is probably easiest to consume this PR by reviewing each commit in isolation. Many of the CVE's addressed are not significant for this project, it is still best to generally keep things up to date.
This PR captures all of the PR's currently open here: https://github.com/gravitational/teleport/pulls?q=is%3Aopen+is%3Apr+author%3Aapp%2Fdependabot+label%3Ajavascript
And will address most of the items listed here (remaining items have major version upgrades that I thought would be best to do in subsequent PR's): https://github.com/gravitational/teleport/security/dependabot?q=is%3Aopen+ecosystem%3Anpm
Additionally the last commit cleans up the
yarn.lockusing this tool: https://www.npmjs.com/package/yarn-deduplicateI am unsure if this is desired, but it made it much easier for me to parse through the file to understand our current dependent versions