Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

USWDS-Compile - Dependencies: POAM March '24 #89

Merged
merged 5 commits into from
Mar 12, 2024
Merged

USWDS-Compile - Dependencies: POAM March '24 #89

merged 5 commits into from
Mar 12, 2024

Conversation

mahoneycm
Copy link
Contributor

@mahoneycm mahoneycm commented Mar 5, 2024
edited

Summary

Monthly POAM checks and dependency vulnerability resolution.

Before: 4 vulnerabilities (1 low, 3 moderate)
After: 3 moderate severity vulnerabilities

Updates USWDS package to 3.8.0

Related issue

uswds/uswds#5801

Closes https://github.com/uswds/uswds-compile/security/dependabot/10

Problem statement

Various dependencies were causing medium and low security vulnerabilities.

Solution

Bump dependencies with resolving updates.

Updated dependencies

Name Old version New version
autoprefixer 10.4.16 10.4.18
postcss 8.4.32 8.4.35
sass-embedded 1.69.5 1.71.1
@uswds/uswds ^3.7.1 3.8.0 1

Testing and review

  1. Checkout test repo
  2. Run npm install.
  3. Run through gulp commands to confirm they run without error.
  4. Run npm start and confirm build completes without error

Gulp commands

    "uswds:buildDist": "./build.sh",
    "uswds:buildSass": "gulp buildSass",
    "uswds:compileIcons": "gulp compileIcons",
    "uswds:copyAssets": "gulp copyAssets",
    "uswds:copyFonts": "gulp copyFonts",
    "uswds:copyImages": "gulp copyImages",
    "uswds:copyJS": "gulp copyJS",

Footnotes

  1. Note: Pinned the USWDS dependency to match the updating process on USWDS-Site. I figured this grants us more control over breaking changes in the future.

@mahoneycm mahoneycm mentioned this pull request Mar 5, 2024
Draft
@mahoneycm mahoneycm marked this pull request as ready for review March 5, 2024 21:51
@mahoneycm mahoneycm mentioned this pull request Mar 5, 2024
Closed
4 tasks
mejiaj
mejiaj requested changes Mar 11, 2024
View reviewed changes
Copy link
Contributor

@mejiaj mejiaj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mahoneycm can we also update patch and minor dependencies?

Running command below in terminal.

npx npm-check-updates --interactive --format group

Shows the following patch/minor updates.

Patch   Backwards-compatible bug fixes
❯ ◉ autoprefixer   10.4.16  →  10.4.18
  ◉ postcss         8.4.32  →   8.4.35

Minor   Backwards-compatible features
  ◉ sass-embedded   1.69.5  →   1.71.1

@mahoneycm
Copy link
Contributor Author

@mejiaj went ahead and updated patch and minor versions as well as updated to uswds: 3.8.0.

Tested by installing on sandbox and all compile commands work like a charm with no file changes

@mahoneycm mahoneycm requested a review from mejiaj March 12, 2024 17:14
mejiaj
mejiaj reviewed Mar 12, 2024
View reviewed changes
Copy link
Contributor

@mejiaj mejiaj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thank you.

A comment on the change in line 41. I'm leaning towards keeping the previous change, but open to making it consistent.

package.json Show resolved Hide resolved
@mahoneycm mahoneycm requested a review from mejiaj March 12, 2024 17:44
@mejiaj mejiaj added this to the compile 1.2.0 milestone Mar 12, 2024
@mejiaj mejiaj merged commit f4e685c into develop Mar 12, 2024
1 check passed
@mejiaj mejiaj deleted the cm-POAM-march-24 branch March 12, 2024 17:52
@mejiaj mejiaj modified the milestones: compile 1.2.0, Compile 1.1.1 Mar 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mejiaj mejiaj mejiaj approved these changes

@amyleadem amyleadem Awaiting requested review from amyleadem

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
Compile 1.1.1
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@mahoneycm @mejiaj