Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check project dependencies for possible updates #3217

Closed
tdipisa opened this issue Oct 5, 2018 · 8 comments
Closed

Check project dependencies for possible updates #3217

tdipisa opened this issue Oct 5, 2018 · 8 comments
Assignees
@tdipisa @baloola
Labels
Accepted enhancement Priority: Low Task

Comments

@tdipisa
Copy link
Member

tdipisa commented Oct 5, 2018
edited
Loading

Description

Check project dependencies for possible updates
@tdipisa tdipisa added this to the 2018.02.01 milestone Oct 5, 2018
@baloola baloola added in progress and removed ready labels Oct 10, 2018
@baloola
Copy link
Contributor

baloola commented Oct 10, 2018

The security venerability is caused by the bootstrap version used in MapStore2, the github notifications recommends upgrading to bootstrap 4.
A first look at the possibility of upgrading to bootstrap 4 shows a problem, which is that bootstrap 4 uses SASS instead if LESS.

@mbarto
Copy link
Contributor

mbarto commented Oct 10, 2018

Upgrading is a lof of effort, we should also migrate from react-bootstrap to reactstrap (that supports bootstrap 4, while react-bootstrap only supports 3).
It's not worth doing it only for a vulnerability (that I suspect also cannot happen the way we use it in MS2).

@offtherailz
Copy link
Member

I agree with @mbarto , the migration is very hard.
I suggest to check what this vulnerability exactly is and if it affects also MapStore.
If it doesn't affect MS2 we could find an easy way to mute this alert, otherwise plan the update, but in this case the effort changes a lot

@tdipisa
Copy link
Member Author

tdipisa commented Oct 10, 2018

@baloola, since this is a moderate alert we can decrease the priority of the issue and plan the update later. I'm going to close it for the moment.

@tdipisa tdipisa closed this as completed Oct 10, 2018
@ghost ghost removed the in progress label Oct 10, 2018
@tdipisa tdipisa removed this from the 2018.02.01 milestone Oct 10, 2018
@tdipisa tdipisa self-assigned this Oct 10, 2018
@tdipisa tdipisa changed the title Fix potential security vulnerabilities in project dependencies Check potential security vulnerabilities in project dependencies Oct 10, 2018
@tdipisa tdipisa changed the title Check potential security vulnerabilities in project dependencies Check on project dependencies Oct 10, 2018
@tdipisa tdipisa changed the title Check on project dependencies Check project dependencies for possible updates Oct 10, 2018
@zachsa zachsa mentioned this issue Jul 3, 2019
Closed
@zachsa
Copy link

zachsa commented Jul 8, 2019

Why was this closed without a fix applied? Github is actually flagging quite a few security vulnerabilities now:

GitHub security warnings

@zachsa
Copy link

zachsa commented Jul 8, 2019

Doing an npm install, I get the following list of deprecated dependencies:

npm WARN deprecated [email protected]
npm WARN deprecated [email protected]
npm WARN deprecated [email protected]
npm WARN deprecated [email protected]
npm WARN deprecated @turf/[email protected]
npm WARN deprecated [email protected]
npm WARN deprecated [email protected]
npm WARN deprecated @turf/[email protected]
npm WARN deprecated [email protected]
npm WARN deprecated [email protected]
npm WARN deprecated [email protected]
npm WARN deprecated [email protected]
npm WARN deprecated [email protected]
npm WARN deprecated [email protected]
npm WARN deprecated [email protected]
npm WARN deprecated [email protected]
npm WARN deprecated [email protected]
npm WARN deprecated [email protected]
npm WARN deprecated [email protected]
npm WARN deprecated [email protected]
npm WARN deprecated [email protected]
npm WARN deprecated [email protected]
npm WARN deprecated [email protected]
npm WARN deprecated [email protected]
npm WARN deprecated [email protected]
npm WARN deprecated [email protected]
npm WARN deprecated [email protected]
npm WARN deprecated [email protected]
npm WARN deprecated [email protected]
npm WARN deprecated [email protected]
npm WARN deprecated [email protected]
npm WARN deprecated [email protected]
npm WARN deprecated [email protected]
npm WARN deprecated [email protected]
npm WARN deprecated [email protected]
npm WARN deprecated [email protected]
npm WARN deprecated [email protected]
npm WARN deprecated [email protected]
npm WARN deprecated [email protected]
npm WARN deprecated [email protected]
npm WARN deprecated [email protected]
npm WARN deprecated [email protected]
npm WARN deprecated [email protected]
npm WARN deprecated [email protected]
npm WARN deprecated [email protected]
npm WARN deprecated [email protected]

@mbarto
Copy link
Contributor

mbarto commented Jul 8, 2019

This one has been closed because we opened another issue to keep track of needed updates: #3528
That said, thanks for notifying us of security vulnerabilities. If you could also provide pull requests to solve some of them it would be greatly appreciated!

@zachsa
Copy link

zachsa commented Jul 8, 2019 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tdipisa tdipisa

@baloola baloola

Labels
Accepted enhancement Priority: Low Task
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@offtherailz @tdipisa @mbarto @zachsa @baloola