Skip to content
This repository has been archived by the owner on Aug 13, 2023. It is now read-only.

force versions of dependencies to remove security vulnerabilities #3689

Merged
merged 3 commits into from
Aug 24, 2020
Merged

force versions of dependencies to remove security vulnerabilities #3689

merged 3 commits into from
Aug 24, 2020

Conversation

jroebu14
Copy link
Contributor

@jroebu14 jroebu14 commented Aug 24, 2020
edited

Resolves #3654

Overall change:
Forces dot-prop dependencies to install version 4.2.1 because previous versions have a security vulnerability.
Forces prismjs dependencies to install version 1.21.0 because previous versions have a security vulnerability.
Forces lodash dependencies to install version 4.17.20 because previous versions have a security vulnerability.

Code changes:

  • Adds resolutions to package.json which includes specific dependency versions.
  • Adds npx npm-force-resolutions to preinstall script to force the versions used in dependencies.

lodash

@bbc/psammead@2.2.1 /Users/roebuj02/psammead
├─┬ @babel/cli@7.10.4
│ └── lodash@4.17.20 
├─┬ @babel/core@7.10.4
│ ├─┬ @babel/generator@7.10.4
│ │ └── lodash@4.17.20 
│ ├─┬ @babel/helper-module-transforms@7.10.4
│ │ ├─┬ @babel/helper-replace-supers@7.10.4
│ │ │ └─┬ @babel/traverse@7.10.4
│ │ │   ├─┬ @babel/generator@7.10.4
│ │ │   │ └── lodash@4.17.20 
│ │ │   └── lodash@4.17.20 
│ │ ├─┬ @babel/types@7.10.4
│ │ │ └── lodash@4.17.20 
│ │ └── lodash@4.17.20 
│ ├─┬ @babel/helpers@7.10.4
│ │ ├─┬ @babel/traverse@7.10.4
│ │ │ ├─┬ @babel/generator@7.10.4
│ │ │ │ └── lodash@4.17.20 
│ │ │ └── lodash@4.17.20 
│ │ └─┬ @babel/types@7.10.4
│ │   └── lodash@4.17.20 
│ ├─┬ @babel/traverse@7.10.4
│ │ └── lodash@4.17.20 
│ ├─┬ @babel/types@7.10.4
│ │ └── lodash@4.17.20 
│ └── lodash@4.17.20 
├─┬ @babel/plugin-transform-modules-commonjs@7.10.4
│ └─┬ @babel/helper-simple-access@7.10.4
│   └─┬ @babel/types@7.10.4
│     └── lodash@4.17.20 
├─┬ @babel/plugin-transform-runtime@7.10.4
│ └─┬ @babel/helper-module-imports@7.10.4
│   └─┬ @babel/types@7.10.4
│     └── lodash@4.17.20 
├─┬ @babel/preset-env@7.10.4
│ ├─┬ @babel/plugin-proposal-async-generator-functions@7.10.4
│ │ └─┬ @babel/helper-remap-async-to-generator@7.10.4
│ │   ├─┬ @babel/helper-wrap-function@7.10.4
│ │   │ ├─┬ @babel/traverse@7.10.4
│ │   │ │ ├─┬ @babel/generator@7.10.4
│ │   │ │ │ └── lodash@4.17.20 
│ │   │ │ └── lodash@4.17.20 
│ │   │ └─┬ @babel/types@7.10.4
│ │   │   └── lodash@4.17.20 
│ │   ├─┬ @babel/traverse@7.10.4
│ │   │ ├─┬ @babel/generator@7.10.4
│ │   │ │ └── lodash@4.17.20 
│ │   │ └── lodash@4.17.20 
│ │   └─┬ @babel/types@7.10.4
│ │     └── lodash@4.17.20 
│ ├─┬ @babel/plugin-proposal-class-properties@7.10.4
│ │ └─┬ @babel/helper-create-class-features-plugin@7.10.4
│ │   └─┬ @babel/helper-replace-supers@7.10.4
│ │     └─┬ @babel/traverse@7.10.4
│ │       ├─┬ @babel/generator@7.10.4
│ │       │ └── lodash@4.17.20 
│ │       └── lodash@4.17.20 
│ ├─┬ @babel/plugin-proposal-private-methods@7.10.4
│ │ └─┬ @babel/helper-create-class-features-plugin@7.10.4
│ │   ├─┬ @babel/helper-function-name@7.10.4
│ │   │ └─┬ @babel/types@7.10.4
│ │   │   └── lodash@4.17.20 
│ │   └─┬ @babel/helper-replace-supers@7.10.4
│ │     └─┬ @babel/traverse@7.10.4
│ │       ├─┬ @babel/generator@7.10.4
│ │       │ └── lodash@4.17.20 
│ │       └── lodash@4.17.20 
│ ├─┬ @babel/plugin-proposal-unicode-property-regex@7.10.4
│ │ └─┬ @babel/helper-create-regexp-features-plugin@7.10.4
│ │   └─┬ @babel/helper-annotate-as-pure@7.10.4
│ │     └─┬ @babel/types@7.10.4
│ │       └── lodash@4.17.20 
│ ├─┬ @babel/plugin-transform-async-to-generator@7.10.4
│ │ └─┬ @babel/helper-module-imports@7.10.4
│ │   └─┬ @babel/types@7.10.4
│ │     └── lodash@4.17.20 
│ ├─┬ @babel/plugin-transform-block-scoping@7.10.4
│ │ └── lodash@4.17.20 
│ ├─┬ @babel/plugin-transform-classes@7.10.4
│ │ ├─┬ @babel/helper-annotate-as-pure@7.10.4
│ │ │ └─┬ @babel/types@7.10.4
│ │ │   └── lodash@4.17.20 
│ │ ├─┬ @babel/helper-define-map@7.10.4
│ │ │ ├─┬ @babel/types@7.10.4
│ │ │ │ └── lodash@4.17.20 
│ │ │ └── lodash@4.17.20 
│ │ └─┬ @babel/helper-replace-supers@7.10.4
│ │   └─┬ @babel/traverse@7.10.4
│ │     ├─┬ @babel/generator@7.10.4
│ │     │ └── lodash@4.17.20 
│ │     └── lodash@4.17.20 
│ ├─┬ @babel/plugin-transform-exponentiation-operator@7.10.4
│ │ └─┬ @babel/helper-builder-binary-assignment-operator-visitor@7.10.4
│ │   ├─┬ @babel/helper-explode-assignable-expression@7.10.4
│ │   │ ├─┬ @babel/traverse@7.10.4
│ │   │ │ ├─┬ @babel/generator@7.10.4
│ │   │ │ │ └── lodash@4.17.20 
│ │   │ │ └── lodash@4.17.20 
│ │   │ └─┬ @babel/types@7.10.4
│ │   │   └── lodash@4.17.20 
│ │   └─┬ @babel/types@7.10.4
│ │     └── lodash@4.17.20 
│ ├─┬ @babel/plugin-transform-function-name@7.10.4
│ │ └─┬ @babel/helper-function-name@7.10.4
│ │   └─┬ @babel/types@7.10.4
│ │     └── lodash@4.17.20 
│ ├─┬ @babel/plugin-transform-modules-systemjs@7.10.4
│ │ └─┬ @babel/helper-hoist-variables@7.10.4
│ │   └─┬ @babel/types@7.10.4
│ │     └── lodash@4.17.20 
│ ├─┬ @babel/plugin-transform-object-super@7.10.4
│ │ └─┬ @babel/helper-replace-supers@7.10.4
│ │   ├─┬ @babel/traverse@7.10.4
│ │   │ ├─┬ @babel/generator@7.10.4
│ │   │ │ └── lodash@4.17.20 
│ │   │ └── lodash@4.17.20 
│ │   └─┬ @babel/types@7.10.4
│ │     └── lodash@4.17.20 
│ ├─┬ @babel/plugin-transform-sticky-regex@7.10.4
│ │ └─┬ @babel/helper-regex@7.10.4
│ │   └── lodash@4.17.20 
│ ├─┬ @babel/plugin-transform-template-literals@7.10.4
│ │ └─┬ @babel/helper-annotate-as-pure@7.10.4
│ │   └─┬ @babel/types@7.10.4
│ │     └── lodash@4.17.20 
│ └─┬ @babel/types@7.10.4
│   └── lodash@4.17.20 
├─┬ @babel/preset-react@7.10.4
│ ├─┬ @babel/plugin-transform-react-jsx@7.10.4
│ │ ├─┬ @babel/helper-builder-react-jsx@7.10.4
│ │ │ └─┬ @babel/types@7.10.4
│ │ │   └── lodash@4.17.20 
│ │ └─┬ @babel/helper-builder-react-jsx-experimental@7.10.4
│ │   └─┬ @babel/types@7.10.4
│ │     └── lodash@4.17.20 
│ └─┬ @babel/plugin-transform-react-pure-annotations@7.10.4
│   └─┬ @babel/helper-annotate-as-pure@7.10.4
│     └─┬ @babel/types@7.10.4
│       └── lodash@4.17.20 
├─┬ @storybook/addon-a11y@5.3.19
│ ├─┬ @storybook/api@5.3.19
│ │ ├─┬ @storybook/csf@0.0.1
│ │ │ └── lodash@4.17.20 
│ │ ├── lodash@4.17.20 
│ │ └─┬ telejson@3.3.0
│ │   └── lodash@4.17.20 
│ └─┬ @storybook/components@5.3.19
│   └── lodash@4.17.20 
├─┬ @storybook/addon-actions@5.3.19
│ └─┬ @storybook/client-api@5.3.19
│   └── lodash@4.17.20 
├─┬ @storybook/addon-knobs@5.3.19
│ ├── lodash@4.17.20 
│ └─┬ react-color@2.18.1
│   ├── lodash@4.17.20 
│   └─┬ reactcss@1.2.3
│     └── lodash@4.17.20 
├─┬ @storybook/addon-notes@5.3.19
│ └─┬ @storybook/router@5.3.19
│   └── lodash@4.17.20 
├─┬ @storybook/react@5.3.19
│ ├─┬ @storybook/core@5.3.19
│ │ ├─┬ @storybook/ui@5.3.19
│ │ │ └── lodash@4.17.20 
│ │ ├─┬ babel-preset-minify@0.5.1
│ │ │ ├─┬ babel-plugin-minify-dead-code-elimination@0.5.1
│ │ │ │ └── lodash@4.17.20 
│ │ │ └── lodash@4.17.20 
│ │ ├─┬ html-webpack-plugin@4.3.0
│ │ │ └── lodash@4.17.20 
│ │ └─┬ inquirer@7.1.0
│ │   └── lodash@4.17.20 
│ ├─┬ babel-plugin-react-docgen@4.1.0
│ │ └── lodash@4.17.20 
│ ├── lodash@4.17.20 
│ └─┬ react-dev-utils@9.1.0
│   └─┬ inquirer@6.5.0
│     └── lodash@4.17.20 
├─┬ @testing-library/jest-dom@5.11.0
│ └── lodash@4.17.20 
├─┬ babel-eslint@10.1.0
│ ├─┬ @babel/traverse@7.10.1
│ │ ├─┬ @babel/generator@7.10.2
│ │ │ └── lodash@4.17.20 
│ │ └── lodash@4.17.20 
│ └─┬ @babel/types@7.10.2
│   └── lodash@4.17.20 
├─┬ babel-plugin-styled-components@1.10.7
│ └── lodash@4.17.20 
├─┬ eslint@7.3.1
│ ├── lodash@4.17.20 
│ └─┬ table@5.4.6
│   └── lodash@4.17.20 
├─┬ eslint-plugin-json@2.1.1
│ └── lodash@4.17.20 
├─┬ gh-pages@3.1.0
│ └─┬ async@2.6.3
│   └── lodash@4.17.20 
├─┬ lerna@3.22.1
│ ├─┬ @lerna/clean@3.21.0
│ │ └─┬ @lerna/prompt@3.18.5
│ │   └─┬ inquirer@6.5.2
│ │     └── lodash@4.17.20 
│ └─┬ @lerna/version@3.22.1
│   └─┬ @lerna/conventional-commits@3.22.0
│     └─┬ conventional-changelog-core@3.2.3
│       ├─┬ conventional-changelog-writer@4.0.16
│       │ └── lodash@4.17.20 
│       ├─┬ conventional-commits-parser@3.1.0
│       │ └── lodash@4.17.20 
│       └── lodash@4.17.20 
├─┬ storybook-chromatic@4.0.2
│ └─┬ jsdom@16.2.2
│   └─┬ request-promise-native@1.0.8
│     └─┬ request-promise-core@1.1.3
│       └── lodash@4.17.20 
├─┬ storybook-readme@5.0.8
│ └── lodash@4.17.20 
├─┬ stylelint@13.6.1
│ ├── lodash@4.17.20 
│ └─┬ postcss-reporter@6.0.1
│   └── lodash@4.17.20 
├─┬ yeoman-generator@4.11.0
│ ├─┬ grouped-queue@1.1.0
│ │ └── lodash@4.17.20 
│ ├── lodash@4.17.20 
│ └─┬ yeoman-environment@2.10.3
│   └── lodash@4.17.20 
└─┬ yo@3.1.1
  ├─┬ global-tunnel-ng@2.7.1
  │ └── lodash@4.17.20 
  ├─┬ inquirer@6.5.2
  │ └── lodash@4.17.20 
  ├─┬ insight@0.10.3
  │ └─┬ inquirer@6.5.2
  │   └── lodash@4.17.20 
  ├── lodash@4.17.20 
  └─┬ tabtab@1.3.2
    └─┬ inquirer@1.2.3
      └── lodash@4.17.20

prismjs

@bbc/psammead@2.2.1 /Users/roebuj02/psammead
├─┬ @storybook/addon-a11y@5.3.19
│ └─┬ @storybook/components@5.3.19
│   └─┬ react-syntax-highlighter@11.0.2
│     ├── prismjs@1.21.0 
│     └─┬ refractor@2.10.1
│       └── prismjs@1.21.0 
└─┬ storybook-readme@5.0.8
  └── prismjs@1.21.0

dot-prop

@bbc/psammead@2.2.1 /Users/roebuj02/psammead
├─┬ lerna@3.22.1
│ ├─┬ @lerna/add@3.21.0
│ │ └─┬ @lerna/command@3.21.0
│ │   └─┬ @lerna/project@3.21.0
│ │     └── dot-prop@4.2.1 
│ └─┬ @lerna/version@3.22.1
│   └─┬ @lerna/conventional-commits@3.22.0
│     └─┬ conventional-changelog-angular@5.0.10
│       └─┬ compare-func@1.3.4
│         └── dot-prop@4.2.1 
└─┬ yo@3.1.1
  ├─┬ configstore@3.1.2
  │ └── dot-prop@4.2.1 
  ├─┬ insight@0.10.3
  │ └─┬ conf@1.4.0
  │   └── dot-prop@4.2.1 
  └─┬ sort-on@3.0.0
    └── dot-prop@4.2.1
  • I have assigned myself to this PR and the corresponding issues
  • Automated jest tests added (for new features) or updated (for existing features)
  • This PR requires manual testing

@jroebu14 jroebu14 self-assigned this Aug 24, 2020
@jroebu14 jroebu14 added the cross-team For visibility for both World Service teams (Engage & Media) label Aug 24, 2020
@jroebu14 jroebu14 added this to PR in Progress in Simorgh via automation Aug 24, 2020
@jroebu14 jroebu14 marked this pull request as ready for review August 24, 2020 13:49
@jroebu14 jroebu14 changed the title force dot-prop dependency v4.2.1 force versions of dependencies to remove security vulnerabilities Aug 24, 2020
@jroebu14 jroebu14 moved this from PR in Progress to Code Review in Simorgh Aug 24, 2020
Simorgh automation moved this from Code Review to Ready for Test Aug 24, 2020
@jroebu14 jroebu14 merged commit 2cc2d65 into latest Aug 24, 2020
Simorgh automation moved this from Ready for Test to Done Aug 24, 2020
@jroebu14 jroebu14 deleted the force-dot-prop-v4.1.2 branch August 24, 2020 14:20
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@simonsinclair simonsinclair simonsinclair approved these changes

@ryanmccombe ryanmccombe ryanmccombe approved these changes

@karinathomasbbc karinathomasbbc karinathomasbbc approved these changes

Assignees

@jroebu14 jroebu14

Labels
cross-team For visibility for both World Service teams (Engage & Media)
Projects
No open projects
Simorgh
Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

dot-prop cannot be updated
4 participants
@jroebu14 @simonsinclair @ryanmccombe @karinathomasbbc