Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade next and node-sass to the latest version #1705

Closed
tihuan opened this issue Dec 2, 2021 · 7 comments
Closed

Upgrade next and node-sass to the latest version #1705

tihuan opened this issue Dec 2, 2021 · 7 comments
Assignees
@tihuan
Labels
frontend Frontend work P1 Priority 1 - Improvement with wide impact, fix within 1 week

Comments

@tihuan
Copy link
Contributor

tihuan commented Dec 2, 2021
edited

Context:
We have a vuln related to node-sass: https://github.com/chanzuckerberg/single-cell-data-portal/pull/1248/files

Solution:

  1. Upgrade next first at least to latest v12, since they have fixed their node-sass deps here
  2. Now we should be able to upgrade node-sass!
  3. next 11.1.3 upgrade alert: https://github.com/chanzuckerberg/single-cell-data-portal/security/dependabot/frontend/package-lock.json/next/open
  4. chore(deps): bump next from 11.1.3 to 12.1.0 in /frontend #1980
@tihuan tihuan added the frontend Frontend work label Dec 2, 2021
@maniarathi maniarathi added the P0 Priority 0 - Critical, fix ASAP! label Dec 13, 2021
@seve
Copy link
Member

seve commented Dec 14, 2021

Just a heads-up, if this takes too many cycles. This trim-newlines vulnerability doesn't actually affect us. If the benefits of upgrading next aren't P0, I would recommend dropping the priority of this ticket.

cc: @maniarathi

@maniarathi
Copy link
Contributor

@tihuan Do you think it makes sense to drop to P1 then given Seve's note?

@tihuan
Copy link
Contributor Author

tihuan commented Dec 14, 2021

Thanks so much for the headsup, @seve !

@maniarathi : Yeah I think dropping to P1 sounds great, and we can just upgrade node-sass when we upgrade next in a few months once they port over Styled Components parser to SWC 🙆‍♂️

Github Issue: vercel/next.js#30802

Thanks both!

@maniarathi maniarathi mentioned this issue Dec 17, 2021
Closed
@maniarathi maniarathi added P1 Priority 1 - Improvement with wide impact, fix within 1 week and removed P0 Priority 0 - Critical, fix ASAP! labels Dec 20, 2021
@maniarathi
Copy link
Contributor

Can do this sometime in Q2 2022.

@tihuan
Copy link
Contributor Author

tihuan commented Jan 4, 2022

Since next finally released 11.1.3, which is a patch version bump, I'll send out a PR to upgrade it after Perf! Thank you!

https://github.com/chanzuckerberg/single-cell-data-portal/security/dependabot/frontend/package-lock.json/next/open

@seve seve mentioned this issue Jan 24, 2022
Closed
@seve seve linked a pull request Jan 24, 2022 that will close this issue
feat: create .nvmrc #1875
Closed
@tihuan
Copy link
Contributor Author

tihuan commented Feb 14, 2022

Turned out that Next only included the patch in v12:

vercel/next.js#34139 (comment)

This was referenced Feb 15, 2022
Closed
Closed
@tihuan
Copy link
Contributor Author

tihuan commented Aug 15, 2022

I think we've waited long enough for Next 12 to be stable, so maybe I can help upgrade to 12 this week? @maniarathi thank you!

@tihuan tihuan self-assigned this Aug 16, 2022
@tihuan tihuan mentioned this issue Aug 17, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tihuan tihuan

Labels
frontend Frontend work P1 Priority 1 - Improvement with wide impact, fix within 1 week
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: create .nvmrc chanzuckerberg/single-cell-data-portal
4 participants
@maniarathi @tihuan @seve @danieljhegeman