Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix package critical vulnerabilities #376

Merged
merged 11 commits into from
May 22, 2023
Merged

Fix package critical vulnerabilities #376

merged 11 commits into from
May 22, 2023

Conversation

michaelrambeau
Copy link
Contributor

@michaelrambeau michaelrambeau commented May 22, 2023
edited
Loading

Goal

An attempt to fix the "critical" issues reported by yarn audit command (17 critical issues after the 3.0.2 release, see #368 for details).

The strategy was to run yarn audit from this repo, fixing the "critical" issues one by one, ensuring that tests pass.

  • Remove remap-istanbul (not used any more)
  • Upgrade stubby
  • Upgrade @babel/core and @babel/preset-env
  • Upgrade nyc
  • Upgrade globby
  • Use @textlint/markdown-to-ast instead of markdown-to-ast (deprecated) and upgrade types accordingly

For vulnerabilities related to minimist and chrome-launcher packages, I had to use Yarn resolutions by adding this to the package.json "resolutions" object in the package.json:

  "minimist": "1.2.8",
  "chrome-launcher": "0.13.2"

Also this PR fixes a warming about missing peer dependencies when installing:

 WARN  Issues with peer dependencies found
.
└─┬ @uxpin/merge-cli 3.0.2
  └─┬ @uxpin/react-docgen-better-proptypes 0.1.1
    └── ✕ missing peer ast-types@^0.12.4
Peer dependencies that should be installed:
  ast-types@^0.12.4

How to check

I released a dev version of the package on both registries:

  • 3.0.3-dev.124 on public NPM
  • 3.0.3-dev.123 on private GitHub

Steps:

  • Upgrade your @uxpin/merge-cli dependency with one of the versions mentioned above
  • Run yarn install
  • Check that the message warning "@uxpin/merge-cli > @uxpin/[email protected]" has unmet peer dependency "ast-types@^0.12.4". is gone
  • Try some of the CLI features (push)
  • Run yarn audit, there should show no vulnerabilities from @uxpin/merge-cli

Example, from MUI repo:

1 vulnerabilities found - Packages audited: 905
Severity: 1 High

image

@michaelrambeau
Copy link
Contributor Author

michaelrambeau commented May 22, 2023
edited
Loading

About warnings when installing

When installing the package, I wanted to get as as much as possible a clean output, without warnings.
Unfortunately forcing Yarn to resolve some dependencies to fix the vulnerabilities leads to 2 warnings about

  • minimist@~0.0.1 requested by optimist@>=0.3.4 from node-static@^0.7.11 from stubby@^5.1.0
  • chrome-launcher@^0.10.0 requested by chromeless@^1.5.2 (which is the most up-to-date version because it's deprecated, see https://github.com/graphcool/chromeless)

image

However it seems those warming don't show up when installing @uxpin/merge-cli from another repository.

@michaelrambeau michaelrambeau self-assigned this May 22, 2023
@michaelrambeau michaelrambeau requested a review from Evomatic May 22, 2023 07:33
@michaelrambeau michaelrambeau marked this pull request as ready for review May 22, 2023 08:33
Evomatic
Evomatic previously approved these changes May 22, 2023
View reviewed changes
Copy link
Contributor

@Evomatic Evomatic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you Michael for your contribution! UXPin is already looking better with less warnings when installing the CLI!

LGTM! 🧑‍💻

@michaelrambeau michaelrambeau changed the title Fix package vulnerabilities issues • Round 1 Fix package critical vulnerabilities May 22, 2023
@michaelrambeau michaelrambeau requested review from blue2wo and Evomatic and removed request for blue2wo and Evomatic May 22, 2023 09:08
blue2wo
blue2wo approved these changes May 22, 2023
View reviewed changes
Copy link
Contributor

@blue2wo blue2wo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changelog review, LGTM 🌮

@michaelrambeau michaelrambeau merged commit 0a2f983 into master May 22, 2023
@michaelrambeau michaelrambeau deleted the fix-vulnerabilities-critical-round-1 branch May 22, 2023 09:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@blue2wo blue2wo blue2wo approved these changes

@Evomatic Evomatic Evomatic left review comments

Assignees

@michaelrambeau michaelrambeau

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@michaelrambeau @blue2wo @Evomatic