Dependency vulnerabilities slowly piling up - How can I help?

[jlengrand]

Hey @halfzebra !

Working on a small project in elm and I saw that I had a few vulnerabilites in the code (found 5 vulnerabilities (3 low, 1 moderate, 1 high) in 1429 scanned packages) to be precise.
4 of them come from create-elm-app.

I was about to come and make a PR for you but then I saw that all 20 open PRs are already auto-PR created to fix vulnerabilities.

I realize this is an OSS project and that your time is limited, just wondering if you're planning on merging those? Is there anything I can help with to facilitate the process?

Cheers, and have a great weekend!

[halfzebra]

Hi Julien!

Thanks for reaching out! I'll release the update for everything which can be released.

Packages with breaking changes might need some attention. For example, #509 has to be fixed manually.

I'd appreciate any help! 🙌

[jlengrand]

Heyo!

Sure, merge the ones that can be done, and let me know then. I'll look into the ones that create breaking changes :).

[jlengrand]

Hey @halfzebra ! 1

Finally have some time to look into this.

So it seems that one of the reasons for failure is the fact that the CI still points to node 8, which is EOL since end of 2019. current supported versions are 12 and 14.

I allowed myself to create #515 that updates the CI to newer versions of Node.

I also used the opportunity to start updating the dependencies in that PR. That way you have only one to merge instead of 17.
Can you confirm this is the way to go for you?

The only thing I'd like you to do is agree on what node versions we should support, and make the CI reflect that either by merging the PR or doing it yourself :).
As it stands now, my PR does not get any CI check.

Thanks!
Julien

[jlengrand]

Ah, this morning there is CI on the branch! I can continue doing stuff :).

[jlengrand]

Alright @halfzebra , I've dived deeper into the issues. I think I have fixed #509 .

You can find the PR in #515. If you merge it, it closes #509 , #514 and #513 all in one. They were related.

If you can merge #515 and add a #hacktoberfest label to it that'd be appreciated :).

Once that is merged, I'll move forward and fix other breaking branches! Do you need any extra help merging the ones that are successful?

[halfzebra]

Hi Julien!

Thanks for working on this! 👍

I've merged the PR and everything seems to work fine!

[jlengrand]

No worries! I'll keep fixing as I have time. You'll get more PRs soon to help with the dependencies

[jlengrand]

Started #519.

When complete, it will group all dependabot (green and red) in a single PR so you don't have to spend time on each one.

[jlengrand]

Note : Some dependencies are really outdated (as in - archived and unmaintained). And example is uglifyjs-webpack-plugin, which is archived in favor of terser-webpack-plugin.

If the project is still aimed at being maintained, it should be investigated.

[jlengrand]

Alright, done! @halfzebra , #519 takes care of all the current dependencies :). Have a look and let me know.

[jlengrand]

Hey there. Anything I can further help with @halfzebra ?

Have a good one!

[rdela]

Re: uglifyjs-webpack-plugin vs terser-webpack-plugin
#427 (comment)

Also, in case no one has said it recently, thank you Eduard for creating and maintaining this project. And thank you Julien for pitching in and helping upgrade dependencies.

[jlengrand]

Thanks for the shoutout, much appreciated :).