Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

upgrade dependencies #5952

Closed
paul-marechal opened this issue Aug 15, 2019 · 5 comments
Closed

upgrade dependencies #5952

paul-marechal opened this issue Aug 15, 2019 · 5 comments
Assignees
@paul-marechal
Labels
quality issues related to code and application quality security issues related to security

Comments

@paul-marechal
Copy link
Member

paul-marechal commented Aug 15, 2019
edited
Loading

Description

yarn audit finally works on the main repository, and here's the output:

16468 vulnerabilities found - Packages audited: 6505915
Severity: 13677 Low | 13 Moderate | 2775 High | 3 Critical

To be fair, this is not a huge issue in itself, for two reasons:

  1. It is due to having a lock file, despite our version ranges targeting newer versions, the lock file prevent us from pulling updated packages.
  2. Clients will most likely pull up-to-date packages.

Although this becomes an issue when despite using all the most up-to-date packages, vulnerabilities are still present. That's when we are supposed to fix things. Right now given the result of yarn audit, we have no way to know if the Theia framework suffers from such vulnerabilities through its dependencies.

Hence why we should try and make a best effort keeping our dependencies up-to-date.

Reproduction Steps

git clone [email protected]:theia-ide/theia.git
cd theia
yarn
yarn audit

OS and Theia version: Ubuntu 16.04, Theia@9105c43, [email protected]
@paul-marechal paul-marechal self-assigned this Aug 15, 2019
@paul-marechal paul-marechal changed the title upgrade our dependencies upgrade dependencies Aug 15, 2019
@vince-fugnitto
Copy link
Member

How many of the issues are from production and not devDependencies?

@vince-fugnitto vince-fugnitto added quality issues related to code and application quality security issues related to security labels Aug 15, 2019
@paul-marechal
Copy link
Member Author

paul-marechal commented Aug 15, 2019
edited
Loading

No idea, too many. But that's the issue.

Scrolling through the report I could see some, but cannot know for sure for the rest.

@lmcbout
Copy link
Contributor

lmcbout commented Aug 15, 2019

@marechal-p What about the 3 critical, did you have a look at those ?

@paul-marechal
Copy link
Member Author

Those were dev dependency related, still trying to bring the counters as close to 0.

@paul-marechal paul-marechal mentioned this issue Aug 15, 2019
Closed
1 task
@vince-fugnitto
Copy link
Member

Is it closeable by #6255 ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@paul-marechal paul-marechal

Labels
quality issues related to code and application quality security issues related to security
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

deps: upgrade+update eclipse-theia/theia
3 participants
@lmcbout @paul-marechal @vince-fugnitto