Fix dependabot alerts #81

devonpis · 2022-07-11T07:56:06Z

the PR created by the dependabot has error on building, probably having difficulty to access the nexus registry.

Therefore I try to fix various vulnerabilities reported by dependabot manually.
and here are the findings:

all the vulnerabilities should have no effects on the production code, as either are devDependencies or unuse.
vulnerabilities from formiojs package will not be fixed, even we update our dependencies (from the moment package https://github.com/qld-gov-au/formio/security/dependabot/12), as we are serving the compiled formiojs script files. it has to be fixed in future release in formiojs repo.
vulnerability from postcss https://github.com/qld-gov-au/formio/security/dependabot/8 will be fixed by removing the glob support for scss import.
there is no walkaround for vulnerability from scss-tokenizer, since it's a devDependencies (from node-sass package), it would not affect the production code so could be dismissed.

devonpis · 2022-07-11T08:24:54Z

duttonw · 2022-07-12T02:44:05Z

.github/workspace/prem/package.json

@@ -30,6 +30,7 @@
  },
  "devDependencies": {},
  "dependencies": {
-    "@formio/premium": "^1.19.0-rc.3"
+    "@formio/premium": "^1.19.0-rc.3",


should this not be 1.18.x?

devonpis added 2 commits July 11, 2022 17:42

fix dependabot alerts

9dddb66

remove comments

bc7de15

devonpis requested review from duttonw and a team July 11, 2022 08:02

ThrawnCA approved these changes Jul 12, 2022

View reviewed changes

duttonw reviewed Jul 12, 2022

View reviewed changes

duttonw approved these changes Jul 12, 2022

View reviewed changes

update prem package

62e575d

devonpis merged commit d90639e into main Jul 12, 2022

duttonw deleted the fix-dependabot-alerts branch November 20, 2022 22:46

Provide feedback