Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade vulnerable node-forge to 0.10.0 #393

Merged
merged 1 commit into from Nov 6, 2020
Merged

Upgrade vulnerable node-forge to 0.10.0 #393

merged 1 commit into from Nov 6, 2020

Conversation

yurloc
Copy link
Member

@yurloc yurloc commented Nov 4, 2020

JIRA

Referenced pull requests

How to retest this PR or trigger a specific build:
  • for a pull request build please add comment: Jenkins retest this
  • for a full downstream build please add comment: Jenkins run fdb
  • for a compile downstream build please add comment: Jenkins run cdb
  • for a full production downstream build please add comment: Jenkins execute product fdb
  • for an upstream build please add comment: Jenkins run upstream

Christopher-Chianelli
Christopher-Chianelli suggested changes Nov 4, 2020
View reviewed changes
Copy link
Contributor

@Christopher-Chianelli Christopher-Chianelli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't see any changes to package.json, only package-lock.json. Is this an update of one of our dependencies' dependencies (i.e. not one of our dependencies, but one we inherited)? If not (i.e. it is one of our dependencies), I prefer package.json to be updated to reflect the version change (npm developers don't always respect minor = no breaking changes, and it be easier to look up the issue if we had the actual version being used in package.json). If not (transitive dependency), this is fine (although the dependency that introduce it wasn't updated).

@Christopher-Chianelli
Copy link
Contributor

SonarCloud Code Analysis went to the OptaPlanner PR (https://github.com/kiegroup/optaplanner/pull/393): https://sonarcloud.io/dashboard?id=org.optaplanner%3Aoptaplanner&pullRequest=393

@sonarcloud
Copy link

sonarcloud bot commented Nov 6, 2020

Kudos, SonarCloud Quality Gate passed!

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities (and Security Hotspot 0 Security Hotspots to review)
Code Smell A 0 Code Smells

No Coverage information No Coverage information
No Duplication information No Duplication information

warning The version of Node.js (v8.12.0) you have used to run this analysis is deprecated and we will stop accepting it from 16th November 2020. Please update to at least Node.js 10. Read more here

@yurloc
Copy link
Member Author

yurloc commented Nov 6, 2020

@Christopher-Chianelli looks good?

@Christopher-Chianelli
Copy link
Contributor

@yurloc see my comment from my review. If it an update to a dependency dependency, it good, if it an update to a direct dependency, I would prefer it to be reflected also in package.json (so we can easily look up any issues with the package)

@yurloc
Copy link
Member Author

yurloc commented Nov 6, 2020

@Christopher-Chianelli good question. The change in package-lock.json is a result of running npm audit fix, which was a recommendation I got after running npm audit. I think it makes sense because node-forge is not my direct dependency so I shouldn't enforce its version in package.json but I can still fine-tune the dependency tree by changing package-lock.json.

@yurloc yurloc merged commit 9643db6 into kiegroup:master Nov 6, 2020
@yurloc yurloc deleted the fix-vulnerable-node-forge branch November 6, 2020 16:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Christopher-Chianelli Christopher-Chianelli Christopher-Chianelli approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@yurloc @Christopher-Chianelli