Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix vulnerabilities: v2 #458

Merged
merged 1 commit into from
May 23, 2018
Merged

Fix vulnerabilities: v2 #458

merged 1 commit into from
May 23, 2018

Conversation

dhruvdutt
Copy link
Member

What kind of change does this PR introduce?
Fix vulnerabilities

Did you add tests for your changes?

If relevant, did you update the documentation?

Summary

Does this PR introduce a breaking change?

Other information
Fixes #457

ematipico
ematipico suggested changes May 22, 2018
View reviewed changes
Copy link
Contributor

@ematipico ematipico left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's your stuff from the add branch. Also, we should point it to master.

@dhruvdutt
Copy link
Member Author

@ematipico Alright. Changed to point master.

@evenstensberg
Copy link
Member

Shouldn't we point it to next Emanuel? :) Why change the way we are developing all of sudden when we agreed to a develop branch?

@ematipico
Copy link
Contributor

@ev1stensberg If we follow gitflow, usually hotfixes point straight to master as they are urgent and they don't involve any development features. After that a patch should be released in order to provide the hotfixes ASAP. That's what I usually follow. What do you think? We can point it to next but this is important and a patch release should me provided ^^'

@dhruvdutt dhruvdutt changed the base branch from next to master May 22, 2018 16:32
@dhruvdutt dhruvdutt changed the base branch from master to next May 22, 2018 16:32
evenstensberg
evenstensberg reviewed May 22, 2018
View reviewed changes
Copy link
Member

@evenstensberg evenstensberg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You'll need to review each package as well 👍

@webpack-bot
Copy link

@dhruvdutt Thanks for your update.

I labeled the Pull Request so reviewers will review it again.

@ematipico Please review the new changes.

@dhruvdutt dhruvdutt changed the base branch from next to master May 22, 2018 20:09
@dhruvdutt
Copy link
Member Author

dhruvdutt commented May 22, 2018
edited
Loading

@ev1stensberg I've changed the base branch to master which doesn't currently have monorepo setup.

I think @ematipico is right and next branch will anyway be a major release. I think we should do a hotfix release for current major version. 163 vulnerabilities sound like a big number.

I'll fix the next branch as well in a different PR.

dhruvdutt
dhruvdutt commented May 22, 2018
View reviewed changes
package.json
"semantic-release": "^15.5.0",
"travis-deploy-once": "^5.0.0",
"webpack": "^4.8.3",
"webpack-dev-server": "^3.1.4"
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The diff looks messy here because of wrong ordering in the previous version of the code. 😁

@evenstensberg
Copy link
Member

this would have to be done for the next branch anyways, so why don't just kill the problem at it's core instead of having to do it all over again next time? The new version is soon out anyways, and the audits had low severity last time I checked

@ematipico
Copy link
Contributor

@ev1stensberg it's up to you then. Fix the audits on the webpack v3 branch (check every package so) and wait for the new release (who knows when) or doing a hotfix to provide to the community with the security fixes. We should always provide security fixes to the consumers of a software

evenstensberg
evenstensberg requested changes May 23, 2018
View reviewed changes
Copy link
Member

@evenstensberg evenstensberg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's go for the next branch.

@dhruvdutt dhruvdutt changed the title Fix vulnerabilities Fix vulnerabilities: v2 May 23, 2018
@dhruvdutt
Copy link
Member Author

Keeping this PR on master in case we decide to do a security fix release for v2.

For next / v3, #460.

@ematipico ematipico merged commit 3953648 into webpack:master May 23, 2018
@dhruvdutt dhruvdutt deleted the deps branch May 23, 2018 16:07
@evenstensberg
Copy link
Member

🎉 This PR is included in version 2.1.4 🎉

The release is available on:

Your semantic-release bot 📦🚀

@dependencies dependencies bot mentioned this pull request May 28, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ematipico ematipico ematipico approved these changes

@evenstensberg evenstensberg evenstensberg approved these changes

Assignees
No one assigned
Labels
PR: reviewed-approved PR: reviewed-changes-requested
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

npm audit yields 163 vulnerabilities
4 participants
@dhruvdutt @evenstensberg @ematipico @webpack-bot