Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FE-10408] Dependency updates via npm audit fix #177

Merged
merged 1 commit into from Apr 3, 2020
Merged

[FE-10408] Dependency updates via npm audit fix #177

merged 1 commit into from Apr 3, 2020

Conversation

israelvicars
Copy link
Contributor

Merge Checklist

馃敡 Issue(s) fixed:

  • Author referenced issue(s) fixed by this PR: FE-10408
  • Fixes #10408

馃毈 Smoke Test

  • Works in chrome
  • Works in firefox
  • Works in safari
  • Works in ie edge
  • Works in ie 11

馃殺 Merge

  • author crafted PR's title into release-worthy commit message.

@israelvicars
Copy link
Contributor Author

Initial state: 787 vulnerabilities (245 low, 8 moderate, 532 high, 2 critical)

After npm audit fix

Upgrades eslint in package.json and makes other package-lock.json:

-     "eslint": "^3.0.1",
+    "eslint": "^4.18.2",
  • added 5 packages from 39 contributors, removed 31 packages and updated 16 packages
  • fixed 723 of 787 vulnerabilities

Rerunning npm audit and npm audit fix

There's mixed output after the first pass. Though there should only be 60 or so remaining vulnerabilities, npm audit reports a remaining 166 vulnerabilities.

Re-running npm audit fix provides mixed after that, claiming to fix either 144 or 102 of those vulnerabilities without any file status changes.

npm audit fix --force

At best, the remaining vulnerabilities are:

  22 vulnerabilities required manual review and could not be updated
  9 package updates for 42 vulnerabilities involved breaking changes

Using the --force option, the following dev dependency updates are made in package.json:

-    "babel-loader": "^6.4.1",
+    "babel-loader": "^8.1.0",

-    "codecov": "^2.2.0",
+    "codecov": "^3.6.5",

-    "documentation": "^4.0.0-rc.0",
+    "documentation": "^12.2.0",

-    "esdoc": "^0.4.8",
+    "esdoc": "^1.1.0",

-    "karma": "^1.7.0",
+    "karma": "^4.4.1",

-    "karma-babel-preprocessor": "^6.0.1",
+    "karma-babel-preprocessor": "^8.0.1",

-    "mocha": "^2.5.3",
+    "mocha": "^7.1.1",

-    "nyc": "^10.3.0",
+    "nyc": "^15.0.0",

-    "webpack": "^1.15.0"
+    "webpack": "^4.42.1"

Unsurprisingly, all of these changes without modification break the test running process.

Next Steps

The eslint upgrade alone is an 80% improvement for all vulnerabilities. The remaining upgrades can be tested independently (the --force changes are not included). I'm hoping the documentation and esdoc changes will have a small surface area of change.

@israelvicars israelvicars added the dependencies Pull requests that update a dependency file label Mar 31, 2020
@israelvicars israelvicars merged commit ba370f0 into master Apr 3, 2020
@israelvicars israelvicars deleted the israel/FE-10408 branch April 3, 2020 16:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jonvuri jonvuri jonvuri approved these changes

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@israelvicars @jonvuri