Skip to content

npm audit: fix critical vulnerabilities #532

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Feb 9, 2024
Merged

npm audit: fix critical vulnerabilities #532

merged 7 commits into from
Feb 9, 2024

Conversation

@jacalata
Copy link
Contributor

@jacalata jacalata commented Feb 7, 2024

npm audit gives us:
found 17 vulnerabilities (7 moderate, 3 high, 7 critical) in 435 scanned packages
run npm audit fix to fix 15 of them.
1 vulnerability requires semver-major dependency updates.
1 vulnerability requires manual review. See the full report for details.
npm audit fix did:
fixed 15 of 17 vulnerabilities in 435 scanned packages
1 vulnerability required manual review and could not be updated
1 package update for 1 vulnerability involved breaking changes

The remaining vulnerability is a moderate level in tslint. TSLint has been deprecated since 2019 and was replaced by typescript-eslint.

@jacalata
Update README.md
7b58f05
@jacalata
Update package.json
81f6364 
bump webpack
@jacalata
Update package-lock.json
81af48a 
awful workflow while I figure out my two github accounts
@jacalata
Update package-lock.json
c08ff2c
@jacalata
Update typescript to 5.3 to fix typing errors
d5903cc 
from this breaking change in @types/node, a transitive dependency of the repo.
@jacalata
Update package-lock.json
fdcd457
@jacalata
downgrade typescript to 4.x
db8c976 
to avoid the deprecations in ts 5 that make another reason we should move off tslint
anyoung-tableau
anyoung-tableau reviewed Feb 8, 2024
View reviewed changes
package.json
"tslint": "^5.16.0",
"typescript": "^3.9.10",
"webpack": "5",
"typescript": "^4.9.0",
Copy link
Contributor

@anyoung-tableau anyoung-tableau Feb 8, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The TS upgrade is a little worrisome. Do we have any assurance that everything is still working fine at runtime?

Copy link
Contributor Author

@jacalata jacalata Feb 9, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks ok in AutoTest, and the 4.0 release notes say there are no breaking changes and updating should be invisible to the majority of projects.

@jacalata jacalata merged commit 509215e into main Feb 9, 2024
@jacalata jacalata deleted the jacalata-patch-1 branch February 9, 2024 00:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@anyoung-tableau anyoung-tableau anyoung-tableau approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jacalata @anyoung-tableau