Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: update dependencies #2520

Merged
merged 5 commits into from Oct 5, 2021
Merged

chore: update dependencies #2520

merged 5 commits into from Oct 5, 2021

Conversation

jodarove
Copy link
Contributor

@jodarove jodarove commented Oct 4, 2021
edited

Details

Update dependencies.

Updates causing changes in our codebase:

Does this PR introduce breaking changes?

  • No, it does not introduce breaking changes.

jodarove
jodarove commented Oct 4, 2021
View reviewed changes
package.json Outdated
@@ -81,6 +81,9 @@
"engines": {
"node": ">=10"
},
"resolutions": {
"axios": "^0.21.2"
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://github.com/salesforce/lwc/security/dependabot/yarn.lock/axios/open

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see we discussed this previously (#2484 (comment)), and @pmdartus suggested we only add resolutions for severe security bugs. This one is marked as high-severity, so I think it applies.

That said, yarn why axios says that we only have axios because of the bundlesize plugin, which is a devDependency. That means that none of our consumers would see this vulnerability. So personally I would prefer to not pollute our package.json with resolutions.

Plus, it looks like we should be able to just delete yarn.lock and re-run yarn to get the newest axios version, because our version of bundlesize depends on axios@^0.21.1.

nolanlawson
nolanlawson requested changes Oct 4, 2021
View reviewed changes
Copy link
Contributor

@nolanlawson nolanlawson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's remove "resolutions" and find another solution, e.g. delete yarn.lock and run yarn or maybe yarn-audit-fix if it works.

@jodarove
Copy link
Contributor Author

jodarove commented Oct 4, 2021
edited

@nolanlawson, reverted the resolutions. ill address the axios issue in another PR.

@jodarove jodarove merged commit f4a41a2 into master Oct 5, 2021
@jodarove jodarove deleted the jodarove/update-deps branch October 5, 2021 13:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ekashida ekashida ekashida approved these changes

@nolanlawson nolanlawson nolanlawson approved these changes

@pmdartus pmdartus pmdartus approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@jodarove @ekashida @nolanlawson @pmdartus