Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change some packages including Webpack, Jest and Babel to sort vulnerabilities #338

Merged
merged 9 commits into from
Jan 23, 2025
Merged

Change some packages including Webpack, Jest and Babel to sort vulnerabilities #338

merged 9 commits into from
Jan 23, 2025
+3,673 −6,763

Conversation

rhystmills
Copy link
Contributor

@rhystmills rhystmills commented Jan 21, 2025
edited
Loading

What does this change?

This PR changes a few packages to try and sort some high priority vulnerabilities in the application (mostly in dev dependencies).

It builds on some work done by Rik which saw some failing tests after he bumped Jest.

Specifically, this PR:

  • bumps jest and related packages, in the shared dependencies
  • bumps webpack and related dependencies in the client sub-project to stop using a vulnerable version of http-proxy-middleware
  • bumps @babel/core and related dependencies in the client sub-project to rely on a vulnerable version of cross-spawn in fewer places
  • move from yarn-run-all to npm-run-all due to a vulnerability in the former, which is irregularly updated (last published 8 years ago)

This seemed like a decent amount to cover in one PR. There is a remaining vulnerability in wsrun, last updated 4 years ago, which I decided not to tackle in this PR, and probably more elsewhere in the project.

I had to make two changes to the jest config because of breaking changes in jest:

How to test

  1. Run the application locally according to the instructions in the readme. Does it build and run?
  2. Run the tests with yarn test in the root. Do they all pass?

I'm happy to pair if you have any trouble running either.

@rhystmills rhystmills force-pushed the rm/sort-vulns branch 3 times, most recently from d2b04ad to 71ddd74 Compare January 21, 2025 14:34
@rhystmills rhystmills changed the title Rm/sort vulns Bump some packages to sort vulnerabilities Jan 23, 2025
@rhystmills rhystmills changed the title Bump some packages to sort vulnerabilities Change some packages to sort vulnerabilities Jan 23, 2025
@rhystmills rhystmills changed the title Change some packages to sort vulnerabilities Change some packages including Webpack, Jest and Babel to sort vulnerabilities Jan 23, 2025
@rhystmills rhystmills marked this pull request as ready for review January 23, 2025 09:40
@rhystmills rhystmills requested review from twrichards and a team as code owners January 23, 2025 09:40
dblatcher
dblatcher approved these changes Jan 23, 2025
View reviewed changes
Copy link

@dblatcher dblatcher left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

test locally - all works!

@rhystmills rhystmills merged commit a54f3f1 into main Jan 23, 2025
3 checks passed
@rhystmills rhystmills deleted the rm/sort-vulns branch January 23, 2025 14:43
@prout-bot
Copy link
Collaborator

Seen on PROD (merged by @rhystmills 3 minutes and 16 seconds ago) Please check your changes!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dblatcher dblatcher dblatcher approved these changes

@twrichards twrichards Awaiting requested review from twrichards twrichards is a code owner

Assignees
No one assigned
Labels
Seen-on-PROD
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@rhystmills @prout-bot @dblatcher