Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

USWDS - Dependencies: Update gulp-mocha to resolve nanoid issue. #5680

Merged
merged 1 commit into from Feb 27, 2024
Merged

USWDS - Dependencies: Update gulp-mocha to resolve nanoid issue. #5680

merged 1 commit into from Feb 27, 2024

Conversation

mejiaj
Copy link
Contributor

@mejiaj mejiaj commented Dec 15, 2023
edited

Summary

Update unit testing dependency for improved security. Update gulp-mocha to major version 9 to resolve a sub-dependency issue.

Breaking change

This is not a breaking change.

Related issue

Closes #5674.

Related pull requests

N/A

Preview link

StorybookJS preview link

Problem statement

Gulp mocha needs to be updated to a major version to resolve issue with sub-dependency.

Solution

Upgraded to major version 9, which is the latest version we can upgrade to without major LOE changes.

Dependency updates

Dependency name Previous version New version
gulp-mocha 8.0.0 9.0.0

This is the latest version we can upgrade to. v10 has major breaking changes with ESM support only.

How to test

  1. On develop run npm install && npm audit.
  2. Confirm issue with nanoid dependency.
  3. On this feature branch, run npm install && npm audit.

Testing checklist

  • Tests should run without failures.
  • NPM audit should not show nanoid issue anymore.

Before: 51 vulnerabilities (24 moderate, 27 high).
After: 48 vulnerabilities (23 moderate, 25 high).

As of 12/15/23

@mejiaj mejiaj marked this pull request as ready for review December 15, 2023 20:03
mejiaj
mejiaj commented Dec 15, 2023
View reviewed changes
package.json
@@ -142,7 +142,7 @@
"gulp-changed": "4.0.3",
"gulp-clean": "0.4.0",
"gulp-cli": "2.3.0",
"gulp-mocha": "8.0.0",
Copy link
Contributor Author

@mejiaj mejiaj Dec 15, 2023
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Important

This is the latest version that supports CommonJS. v10 only supports ESM. See gulp-mocha releases on GitHub for more information.

@mejiaj mejiaj changed the title USWDS - Dependencies: Update gulp-mocha to resolve dependabot nanoid issue. USWDS - Dependencies: Update gulp-mocha to resolve nanoid issue. Dec 15, 2023
mahoneycm
mahoneycm approved these changes Dec 18, 2023
View reviewed changes
Copy link
Contributor

@mahoneycm mahoneycm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great! Thanks!

Testing checklist

  • Confirmed nanoid vulnerability on develop
  • Feature branch has fewer vulnerabilities
  • nanoid vulnerability is resolved
  • npm test runs without errors
  • Confirmed this is the latest version of gulp-mocha that can use CommonJS

Note

I updated the description of this vulnerability on the POAM Spreadsheet 🔒 but I did not mark as resolved. We should mark the listing as resolved once merged 👍

amyleadem
amyleadem approved these changes Dec 20, 2023
View reviewed changes
Copy link
Contributor

@amyleadem amyleadem left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! I ran the following tests:

  • Confirm the nanoid warning is removed after running npm audit
    • Before: 51 vulnerabilities (24 moderate, 27 high)
    • After: 48 vulnerabilities (23 moderate, 25 high)
  • Run npm install without error
  • Run npm start without error
  • Run npm run test without error
  • Run gulp commands without error

@mahoneycm mahoneycm mentioned this pull request Feb 1, 2024
Closed
5 tasks
@thisisdano thisisdano merged commit 637175e into develop Feb 27, 2024
5 checks passed
@thisisdano thisisdano deleted the jm-feature-update-mocha branch February 27, 2024 00:13
@amyleadem amyleadem mentioned this pull request Feb 28, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thisisdano thisisdano thisisdano approved these changes

@mahoneycm mahoneycm mahoneycm approved these changes

@amyleadem amyleadem amyleadem approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

USWDS - Dependencies: Update gulp-mocha
4 participants
@mejiaj @thisisdano @mahoneycm @amyleadem