-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Investigate Dependabot high and critical severity alerts in mobile-samples #93
Comments
The vulnerabilities in the following npm packages come from @bentley/react-scripts. I updated that from what we were using (4.0.5) to the latest (4.0.7), but they were still vulnerable:
Regarding the A |
@tcobbs-bentley the latest version of Also, @aruniverse has been working on releasing react-scripts@5 which will fix many of the issues. That full release should be out this week so maybe try updating to that and see if there are any issues. |
@calebmshafer when you say "latest version of
|
@tcobbs-bentley , please try 5.0.0 |
@aruniverse Doing that and nothing else (still on iTwin 3.2.x) causes a build error:
|
What is the status of this issue? |
@aruniverse The last time I checked, React Scripts 5 was effectively unusable for mobile-samples. I had to remove a ton of eslint rule disabling comments due to those rules not working due to the plugins that produce the rules being incompatible with something deep down inside react-scripts 5. While I was able to get things to build, these now completely missing eslint rules were extremely useful ones that I don't feel it is appropriate to downgrade our software to live without. Furthermore, there is a super scary sounding warning at build time (and react-scripts start time) due to no-longer-included node packages, and I was led to believe that react-scripts 5 made getting rid of this (I reiterate, super scary) warning impossible. This all happened a while ago, and I haven't had the time to check again to see if there are resolutions. |
This is still present, and won't be completely removed til 3.6. Idk if its "super scary", especially since its just a warning and not a runtime error since its not in the critical path. Re the eslint rules, cant comment on that. Version of eslint used by itwin/eslint-plugins and bentley/react-scripts differ and we will not be changing react-scripts to support an older version of eslint there Sounds like this will stay open |
As of today (2022-04-17), the only dependabot alerts are for xml2js, which is pulled in from iTwin. iTwin is in the process of resolving that problem. |
No description provided.
The text was updated successfully, but these errors were encountered: