Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update some 3rd party dependencies to latest and re-enable 'npm audit' #589

Merged
merged 8 commits into from
Jun 6, 2022
Merged

Update some 3rd party dependencies to latest and re-enable 'npm audit' #589

merged 8 commits into from
Jun 6, 2022

Conversation

jattasNI
Copy link
Contributor

@jattasNI jattasNI commented Jun 6, 2022
edited

Pull Request

🀨 Rationale

Fixes #581. We had disabled npm audit in our pipelines because of the vulnerability, but beachball published a fix this weekend: microsoft/beachball#666.

πŸ‘©β€πŸ’» Implementation

  1. Install latest version of beachball
  2. Re-enable npm audit commands in main.yml. This revealed new vulnerabilities in several devDependencies: ejs, event-source, and json-schema.
  3. Run npm update for each of the above dependencies and also jsprim, which was needed to get the fixed json-schema (jsprim pins its deps to exact versions)

I looked into npm overrides which are intended for this purpose but they're not ready for prime time (poorly documented workspace support and bizarrely not usable with an existing package-lock.json with our current npm version.

πŸ§ͺ Testing

Relying on pipeline.

βœ… Checklist

  • I have updated the project documentation to reflect my changes or determined no changes are needed.

@jattasNI jattasNI changed the title Update version of beachball to latest and re-enable 'npm audit' Update some 3rd party dependencies to latest and re-enable 'npm audit' Jun 6, 2022
@jattasNI jattasNI marked this pull request as ready for review June 6, 2022 20:43
rajsite
rajsite approved these changes Jun 6, 2022
View reviewed changes
package.json Show resolved Hide resolved
@jattasNI jattasNI merged commit 216f8bc into main Jun 6, 2022
@jattasNI jattasNI deleted the update-workspace-tools branch June 6, 2022 23:03
@jattasNI jattasNI mentioned this pull request Jun 14, 2022
Merged
1 task
rajsite pushed a commit that referenced this pull request Jun 16, 2022
@jattasNI
Update peerDependency from beachball-lock-update to beachball (#600)
0eb32ef 
# Pull Request

## 🀨 Rationale

I noticed a critical vulnerability being reported when running `npm i` in Skyline `Web/Packages`. It's the same vulnerability that we fixed in #589 but coming from `beachball-lock-update` instead of `beachball` directly. We missed updating `beachball-lock-update` in that PR because its dependency was a `peerDependency` so vulnerabilities aren't reported by `npm audit`.

## πŸ‘©β€πŸ’» Implementation

Update `beachball` version to same used by the rest of the repo and run `npm install`.

## πŸ§ͺ Testing

Relying on pipeline.

## βœ… Checklist

<!--- Review the list and put an x in the boxes that apply or ~~strike through~~ around items that don't (along with an explanation). -->

- [x] I have updated the project documentation to reflect my changes or determined no changes are needed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rajsite rajsite rajsite approved these changes

@fredvisser fredvisser Awaiting requested review from fredvisser

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Critical security vulnerabilities in workspace-tools package
2 participants
@jattasNI @rajsite