Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix dependabot alerts #81

Merged
merged 3 commits into from
Jul 12, 2022
Merged

Fix dependabot alerts #81

merged 3 commits into from
Jul 12, 2022

Conversation

devonpis
Copy link
Contributor

@devonpis devonpis commented Jul 11, 2022

the PR created by the dependabot has error on building, probably having difficulty to access the nexus registry.

Therefore I try to fix various vulnerabilities reported by dependabot manually.
and here are the findings:

  • all the vulnerabilities should have no effects on the production code, as either are devDependencies or unuse.
  • vulnerabilities from formiojs package will not be fixed, even we update our dependencies (from the moment package https://github.com/qld-gov-au/formio/security/dependabot/12), as we are serving the compiled formiojs script files. it has to be fixed in future release in formiojs repo.
  • vulnerability from postcss https://github.com/qld-gov-au/formio/security/dependabot/8 will be fixed by removing the glob support for scss import.
  • there is no walkaround for vulnerability from scss-tokenizer, since it's a devDependencies (from node-sass package), it would not affect the production code so could be dismissed.

@devonpis devonpis requested review from duttonw and a team July 11, 2022 08:02
@devonpis
Copy link
Contributor Author

follow up: formio/formio.js#4768

@@ -30,6 +30,7 @@
},
"devDependencies": {},
"dependencies": {
"@formio/premium": "^1.19.0-rc.3"
"@formio/premium": "^1.19.0-rc.3",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should this not be 1.18.x?

@devonpis devonpis merged commit d90639e into main Jul 12, 2022
@duttonw duttonw deleted the fix-dependabot-alerts branch November 20, 2022 22:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants