Determine how to handle CVEs on transitive dependencies in release branches blocking create-gui-pr workflow #2498
Labels
kind/cleanup
Cleanup/refactor an existing component/code
triage/accepted
The issue was reviewed and is complete enough to start working on it
Description
The create-gui-pr workflow fails if there are any critical vulnerabilities in our dependencies. This blocks changes from release branches making their way into kuma.
We need to determine how to update vulnerable transitive dependencies in our lock file so we can merge changes in the release branch and have them land in Kuma.
Notes:
We want something like
npm audit fix
but in working. Last time I checked,npm audit fix
is unreliable at best and flat out not working at worst. But the principle of "update the vulnerable dependency in our lock file to the earliest non-vulnerable version" is what we’re looking forA hacky way to update vulnerable transitive dependencies would look something like this:
The text was updated successfully, but these errors were encountered: