-
Notifications
You must be signed in to change notification settings - Fork 11
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
USWDS-Compile - Dependencies: POAM March '24 #89
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mahoneycm can we also update patch and minor dependencies?
Running command below in terminal.
npx npm-check-updates --interactive --format group
Shows the following patch/minor updates.
Patch Backwards-compatible bug fixes
❯ ◉ autoprefixer 10.4.16 → 10.4.18
◉ postcss 8.4.32 → 8.4.35
Minor Backwards-compatible features
◉ sass-embedded 1.69.5 → 1.71.1
@mejiaj went ahead and updated patch and minor versions as well as updated to Tested by installing on sandbox and all compile commands work like a charm with no file changes |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thank you.
A comment on the change in line 41. I'm leaning towards keeping the previous change, but open to making it consistent.
Summary
Monthly POAM checks and dependency vulnerability resolution.
Before: 4 vulnerabilities (1 low, 3 moderate)
After: 3 moderate severity vulnerabilities
Updates USWDS package to
3.8.0
Related issue
uswds/uswds#5801
Closes https://github.com/uswds/uswds-compile/security/dependabot/10
Problem statement
Various dependencies were causing medium and low security vulnerabilities.
Solution
Bump dependencies with resolving updates.
Updated dependencies
10.4.16
10.4.18
8.4.32
8.4.35
1.69.5
1.71.1
^3.7.1
3.8.0
1Testing and review
npm install
.Gulp commands
Footnotes
Note: Pinned the USWDS dependency to match the updating process on USWDS-Site. I figured this grants us more control over breaking changes in the future. ↩