Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix most NPM audit alerts #1106

Merged
merged 9 commits into from Nov 2, 2021
Merged

Fix most NPM audit alerts #1106

merged 9 commits into from Nov 2, 2021

Conversation

snowteamer
Copy link
Collaborator

@snowteamer snowteamer commented Nov 2, 2021
edited

Summary of changes:

  • Remove unused local grunt (we are only using a globally installed grunt).
  • Bump browser-sync to 2.27.7.
  • Uninstall unused cheerio and chokidar (however they are still there as sub-dependencies).
  • Bump mocha to v8.4.0.
  • Bump eslint to v7.32.0.
  • Remove eslint-plugin-standard as suggested in the following notice:

npm WARN deprecated eslint-plugin-standard@5.0.0: standard 16.0.0 and eslint-config-standard 16.0.0 no longer require the eslint-plugin-standard package. You can remove it from your dependencies with 'npm rm eslint-plugin-standard'. More info here: standard/standard#1316

  • Replace babel-eslint with @babel/eslint-parser as per notice:

npm WARN deprecated babel-eslint@10.1.0: babel-eslint is now @babel/eslint-parser. This package will no longer receive updates.

  • Bump eslint-plugin-vue to v7.20.0

  • The number of audit alerts has been reduced from 37 (13 moderate, 19 high, 5 critical) to 12 (12 high).
    This is still quite a lot, however they all seem to arise from only two packages, namely set-value and union-value. From the dependency graph displayed by npm audit it looks like fixing these remaining issues would involve either patching check-dependencies' or forking grunt-check-dependencies', in order to update their vulnerable `findup-sync' sub-dependency.

@snowteamer snowteamer added dependencies Pull requests that update a dependency file Kind:Enhancement Improvements, new features, performance upgrades, etc. labels Nov 2, 2021
taoeffect
taoeffect approved these changes Nov 2, 2021
View reviewed changes
Copy link
Member

@taoeffect taoeffect left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved! Excellent PR @snowteamer!

@taoeffect taoeffect merged commit 5a534e4 into okTurtles:master Nov 2, 2021
@snowteamer snowteamer deleted the fix-npm-audit-alerts branch November 2, 2021 16:57
@taoeffect taoeffect mentioned this pull request Nov 29, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@taoeffect taoeffect taoeffect approved these changes

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file Kind:Enhancement Improvements, new features, performance upgrades, etc.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@snowteamer @taoeffect