New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
USWDS - Dependencies: Update gulp-mocha to resolve nanoid issue. #5680
Conversation
@@ -142,7 +142,7 @@ | |||
"gulp-changed": "4.0.3", | |||
"gulp-clean": "0.4.0", | |||
"gulp-cli": "2.3.0", | |||
"gulp-mocha": "8.0.0", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Important
This is the latest version that supports CommonJS. v10 only supports ESM. See gulp-mocha
releases on GitHub for more information.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great! Thanks!
Testing checklist
- Confirmed
nanoid
vulnerability ondevelop
- Feature branch has fewer vulnerabilities
-
nanoid
vulnerability is resolved -
npm test
runs without errors - Confirmed this is the latest version of
gulp-mocha
that can use CommonJS
Note
I updated the description of this vulnerability on the POAM Spreadsheet 🔒 but I did not mark as resolved. We should mark the listing as resolved once merged 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good! I ran the following tests:
- Confirm the
nanoid
warning is removed after runningnpm audit
- Before: 51 vulnerabilities (24 moderate, 27 high)
- After: 48 vulnerabilities (23 moderate, 25 high)
- Run
npm install
without error - Run
npm start
without error - Run
npm run test
without error - Run
gulp
commands without error
Summary
Update unit testing dependency for improved security. Update
gulp-mocha
to major version 9 to resolve a sub-dependency issue.Breaking change
This is not a breaking change.
Related issue
Closes #5674.
Related pull requests
N/A
Preview link
StorybookJS preview link
Problem statement
Gulp mocha needs to be updated to a major version to resolve issue with sub-dependency.
Solution
Upgraded to major version 9, which is the latest version we can upgrade to without major LOE changes.
Dependency updates
gulp-mocha
This is the latest version we can upgrade to. v10 has major breaking changes with ESM support only.
How to test
develop
runnpm install && npm audit
.nanoid
dependency.npm install && npm audit
.Testing checklist
nanoid
issue anymore.Before: 51 vulnerabilities (24 moderate, 27 high).
After: 48 vulnerabilities (23 moderate, 25 high).
As of 12/15/23