Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

USWDS - Dependencies: Update gulp-mocha #5674

Closed
2 tasks done
mejiaj opened this issue Dec 13, 2023 · 0 comments · Fixed by #5680
Closed
2 tasks done

USWDS - Dependencies: Update gulp-mocha #5674

mejiaj opened this issue Dec 13, 2023 · 0 comments · Fixed by #5680
Assignees
@mejiaj
Labels
Added during Sprint Affects: Dependencies Relates to project dependencies Affects: Testing Relates to code testing
Milestone
uswds 3.8.0

Comments

@mejiaj
Copy link
Contributor

mejiaj commented Dec 13, 2023
edited

Update gulp-mocha to address dependabot issue.

  • Upgrade dependency to a major version.
  • Test to ensure there are no breaking changes.

uswds/package.json

Line 145 in ab9e3fd

"gulp-mocha": "8.0.0",

Currently

nanoid  3.0.0 - 3.1.30
Severity: moderate
Exposure of Sensitive Information to an Unauthorized Actor in nanoid - https://github.com/advisories/GHSA-qrpm-p2h7-hrv2
fix available via `npm audit fix --force`
Will install gulp-mocha@10.0.0, which is a breaking change
node_modules/gulp-mocha/node_modules/nanoid

51 vulnerabilities (24 moderate, 27 high).

We cannot upgrade to v10 because the package is ESM and has no support for CommonJS.
@github-actions github-actions bot added the Status: Triage We're triaging this issue and grooming if necessary label Dec 13, 2023
@mejiaj mejiaj added Affects: Testing Relates to code testing Affects: Dependencies Relates to project dependencies labels Dec 13, 2023
@mejiaj mejiaj mentioned this issue Dec 13, 2023
Merged
@brunerae brunerae removed the Status: Triage We're triaging this issue and grooming if necessary label Dec 14, 2023
@brunerae brunerae added this to the uswds 3.8.0 milestone Dec 14, 2023
@mejiaj mejiaj added the Needs: Refinement We need to give this issue more detail label Dec 14, 2023
@mejiaj mejiaj self-assigned this Dec 14, 2023
@mejiaj mejiaj added Added during Sprint and removed Needs: Refinement We need to give this issue more detail labels Dec 15, 2023
mejiaj added a commit that referenced this issue Dec 15, 2023
@mejiaj
Update gulp-mocha to resolve dependabot nanoid issue. Fixes #5674
078ea24
@mejiaj mejiaj mentioned this issue Dec 15, 2023
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mejiaj mejiaj

Labels
Added during Sprint Affects: Dependencies Relates to project dependencies Affects: Testing Relates to code testing
Projects
USWDS Core Project Data
Archived in project
Milestone
uswds 3.8.0
Development

Successfully merging a pull request may close this issue.

USWDS - Dependencies: Update gulp-mocha to resolve nanoid issue. uswds/uswds
2 participants
@mejiaj @brunerae