Skip to content

Update some dependencies to fix some issues from Dependabot #2219

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 28, 2024
Merged

Update some dependencies to fix some issues from Dependabot #2219

merged 1 commit into from
Sep 28, 2024

Conversation

Kocal
Copy link
Member

@Kocal Kocal commented Sep 27, 2024
edited
Loading

Q A
Bug fix? yes/no
New feature? yes/no
Issues Fix #...
License MIT

Fixing some issues from https://github.com/symfony/ux/security/dependabot by upgrading dependencies...

The React controller has changed, but it's still working:
image

@carsonbot carsonbot added Bug Bug Fix Feature New Feature Status: Needs Review Needs to be reviewed labels Sep 27, 2024
@carsonbot carsonbot added Status: Reviewed Has been reviewed by a maintainer and removed Status: Needs Review Needs to be reviewed labels Sep 28, 2024
@Kocal Kocal force-pushed the chore-dependanbot-fix-issues branch from 944b2d1 to bb6471b Compare September 28, 2024 06:03
@Kocal Kocal merged commit 21a071a into symfony:2.x Sep 28, 2024
1 check was pending
@Kocal Kocal deleted the chore-dependanbot-fix-issues branch September 28, 2024 06:03
@Kocal Kocal mentioned this pull request Sep 28, 2024
Merged
Kocal added a commit that referenced this pull request Sep 28, 2024
@Kocal
minor #2221 [Swup] For Swup's dev dependencies exclusion from our yar…
1720a47 
…n.lock (Kocal)

This PR was merged into the 2.x branch.

Discussion
----------

[Swup] For Swup's dev dependencies exclusion from our yarn.lock

| Q             | A
| ------------- | ---
| Bug fix?      | yes/no
| New feature?  | yes/no <!-- please update src/**/CHANGELOG.md files -->
| Issues        | Fix #... <!-- prefix each issue number with "Fix #", no need to create an issue if none exist, explain below instead -->
| License       | MIT

<!--
Replace this notice by a description of your feature/bugfix.
This will help reviewers and should be a good start for the documentation.

Additionally (see https://symfony.com/releases):
 - Always add tests and ensure they pass.
 - For new features, provide some code snippets to help understand usage.
 - Features and deprecations must be submitted against branch main.
 - Changelog entry should follow https://symfony.com/doc/current/contributing/code/conventions.html#writing-a-changelog-entry
 - Never break backward compatibility (see https://symfony.com/bc).
-->

While working on #2219, I've noticed we had a very old Rollup version that we do not use at all.
The issue comes from Swup v3, which ship its **building** dependencies as **prod** dependencies, which means we install `microbundle` and all its dependencies:
```
microbundle@^0.15.1:
  version "0.15.1"
  resolved "https://registry.npmjs.org/microbundle/-/microbundle-0.15.1.tgz"
  integrity sha512-aAF+nwFbkSIJGfrJk+HyzmJOq3KFaimH6OIFBU6J2DPjQeg1jXIYlIyEv81Gyisb9moUkudn+wj7zLNYMOv75Q==
  dependencies:
    "`@babel`/core" "^7.12.10"
    "`@babel`/plugin-proposal-class-properties" "7.12.1"
    "`@babel`/plugin-syntax-import-meta" "^7.10.4"
    "`@babel`/plugin-syntax-jsx" "^7.12.1"
    "`@babel`/plugin-transform-flow-strip-types" "^7.12.10"
    "`@babel`/plugin-transform-react-jsx" "^7.12.11"
    "`@babel`/plugin-transform-regenerator" "^7.12.1"
    "`@babel`/preset-env" "^7.12.11"
    "`@babel`/preset-flow" "^7.12.1"
    "`@babel`/preset-react" "^7.12.10"
    "`@rollup`/plugin-alias" "^3.1.1"
    "`@rollup`/plugin-babel" "^5.2.2"
    "`@rollup`/plugin-commonjs" "^17.0.0"
    "`@rollup`/plugin-json" "^4.1.0"
    "`@rollup`/plugin-node-resolve" "^11.0.1"
    "`@surma`/rollup-plugin-off-main-thread" "^2.2.2"
    asyncro "^3.0.0"
    autoprefixer "^10.1.0"
    babel-plugin-macros "^3.0.1"
    babel-plugin-transform-async-to-promises "^0.8.18"
    babel-plugin-transform-replace-expressions "^0.2.0"
    brotli-size "^4.0.0"
    builtin-modules "^3.1.0"
    camelcase "^6.2.0"
    escape-string-regexp "^4.0.0"
    filesize "^6.1.0"
    gzip-size "^6.0.0"
    kleur "^4.1.3"
    lodash.merge "^4.6.2"
    postcss "^8.2.1"
    pretty-bytes "^5.4.1"
    rollup "^2.35.1"
    rollup-plugin-bundle-size "^1.0.3"
    rollup-plugin-postcss "^4.0.0"
    rollup-plugin-terser "^7.0.2"
    rollup-plugin-typescript2 "^0.32.0"
    rollup-plugin-visualizer "^5.6.0"
    sade "^1.7.4"
    terser "^5.7.0"
    tiny-glob "^0.2.8"
    tslib "^2.0.3"
    typescript "^4.1.3"
```

This PR won't impact developers, it's only for our `yarn.lock` which contains a bunch of useless dependencies, and some of them are vulnerable too (listed on https://github.com/symfony/ux/security/dependabot)

Commits
-------

ae52ae5 [Swup] For Swup's dev dependencies exclusion from our yarn.lock
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@smnandre smnandre smnandre approved these changes

Assignees
No one assigned
Labels
Bug Bug Fix Feature New Feature Status: Reviewed Has been reviewed by a maintainer
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Kocal @smnandre @carsonbot