Update dev dependencies, fix most of vulnerabilities #7133

johnd0e · 2020-05-08T11:41:42Z

    "eslint": "^6.8.0",
    "git-rev-sync": "^2.0.0",
    "rollup": "^0.59.4",
    "rollup-plugin-git-version": "^0.3.1",
    "ssri": "^8.0.0",
    "uglify-js": "^3.9.2"

Keep rollup < 0.60.0 for compatibility with IE 8 (see #6647)

(latests version with support of IE 8) Remove Object.freeze hack, use rollup's `output.freeze` option instead

And fix a couple of warnings. Ref: https://eslint.org/docs/user-guide/migrating-to-5.0.0#eslint-recommended-changes https://eslint.org/docs/user-guide/migrating-to-5.0.0#deprecated-globals

Ref: https://eslint.org/docs/user-guide/migrating-to-6.0.0#eslint-recommended-changes

johnd0e · 2020-05-08T15:34:14Z

Fix #6633.

After all changes npm audit reports only 4 vulnerabilities (instead of former 200):

=== npm audit security report ===                        
                                                                                
                                                                                
                                 Manual Review                                  
             Some vulnerabilities require your attention to resolve             
                                                                                
          Visit https://go.npm.me/audit-guide for additional guidance           
                                                                                
                                                                                
  High            Cross-Site Scripting                                          
                                                                                
  Package         handlebars                                                    
                                                                                
  Patched in      >=4.0.0                                                       
                                                                                
  Dependency of   leafdoc [dev]                                                 
                                                                                
  Path            leafdoc > handlebars                                          
                                                                                
  More info       https://npmjs.com/advisories/61                               
                                                                                
                                                                                
  Critical        Prototype Pollution                                           
                                                                                
  Package         handlebars                                                    
                                                                                
  Patched in      >=4.0.14 <4.1.0 || >=4.1.2                                    
                                                                                
  Dependency of   leafdoc [dev]                                                 
                                                                                
  Path            leafdoc > handlebars                                          
                                                                                
  More info       https://npmjs.com/advisories/755                              
                                                                                
                                                                                
  Moderate        Regular Expression Denial of Service                          
                                                                                
  Package         marked                                                        
                                                                                
  Patched in      >=0.6.2                                                       
                                                                                
  Dependency of   leafdoc [dev]                                                 
                                                                                
  Path            leafdoc > marked                                              
                                                                                
  More info       https://npmjs.com/advisories/812                              
                                                                                
                                                                                
  Low             Prototype Pollution                                           
                                                                                
  Package         minimist                                                      
                                                                                
  Patched in      >=0.2.1 <1.0.0 || >=1.2.3                                     
                                                                                
  Dependency of   leafdoc [dev]                                                 
                                                                                
  Path            leafdoc > handlebars > optimist > minimist                    
                                                                                
  More info       https://npmjs.com/advisories/1179                             
                                                                                
found 4 vulnerabilities (1 low, 1 moderate, 1 high, 1 critical) in 3064 scanned packages
  4 vulnerabilities require manual review. See the full report for details.

All of them come from Leafdoc's devDependencies, and are already addressed in still unpublished version.

mondeja · 2020-05-08T17:36:59Z

The marked and handlebar packages are not dependencies of current leafdoc, and there is a pull request to upgrade minimist that will remove this security vulnerability.

johndoe added 7 commits May 8, 2020 12:04

Update rollup-plugin-git-version to ^0.3.1

63c96ae

Update uglify-js to ^3.9.2

dadd51c

Update git-rev-sync to ^2.0.0

3a13228

Update ssri to ^8.0.0

435ff23

Update rollup to ^0.59.4

8953c51

(latests version with support of IE 8) Remove Object.freeze hack, use rollup's `output.freeze` option instead

Update eslint to ^5.16.0

e042f1e

And fix a couple of warnings. Ref: https://eslint.org/docs/user-guide/migrating-to-5.0.0#eslint-recommended-changes https://eslint.org/docs/user-guide/migrating-to-5.0.0#deprecated-globals

Update eslint to ^6.8.0

6761f94

Ref: https://eslint.org/docs/user-guide/migrating-to-6.0.0#eslint-recommended-changes

johnd0e force-pushed the update-deps branch from 65fdd7d to 6761f94 Compare May 8, 2020 14:37

johnd0e changed the title ~~Update dev dependencies~~ Update dev dependencies, fix most of vulnerabilities May 8, 2020

johnd0e marked this pull request as ready for review May 8, 2020 15:34

johnd0e mentioned this pull request May 8, 2020

Update Leafdoc #7134

Closed

mourner approved these changes May 18, 2020

View reviewed changes

mourner merged commit 9b0d7c2 into Leaflet:master May 18, 2020

johnd0e deleted the update-deps branch May 19, 2020 07:27

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update dev dependencies, fix most of vulnerabilities #7133

Update dev dependencies, fix most of vulnerabilities #7133

johnd0e commented May 8, 2020 •

edited

johnd0e commented May 8, 2020 •

edited

mondeja commented May 8, 2020

Update dev dependencies, fix most of vulnerabilities #7133

Update dev dependencies, fix most of vulnerabilities #7133

Conversation

johnd0e commented May 8, 2020 • edited

johnd0e commented May 8, 2020 • edited

mondeja commented May 8, 2020

johnd0e commented May 8, 2020 •

edited

johnd0e commented May 8, 2020 •

edited