Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade dependencies and fix security alerts #3859

Merged
merged 4 commits into from
Mar 7, 2019
Merged

Upgrade dependencies and fix security alerts #3859

merged 4 commits into from
Mar 7, 2019

Conversation

daniel-wer
Copy link
Member

@daniel-wer daniel-wer commented Mar 4, 2019
edited
Loading

Although github only showed 5 alerts, yarn audit complained about >85 vulnerable packages. Fortunately, a yarn upgrade (which updates all packages as far as it is allowed by the package.json) fixed most of these issues. Of course there were libs that introduced breaking changes in minor versions (looking at you airbrake-js - that's why I needed to include the cross-fetch dependency).
There is one remaining alert by yarn audit, but there is an open PR in the library's repo which we should get via yarn upgrade in the next weeks.

I did some testing by myself and couldn't find any major issues.
Not sure whether we should execute the testing protocol, but as the libs with major version updates were all devDependencies, I would hope we won't need to execute it.

Related note: We should probably run yarn upgrade more often, it removed lots of very old package versions which should benefit the bundle size as well :)
(I checked out of interest and can confirm: vendor-bundle got ~20% smaller locally - from 27MB to 22MB)

URL of deployed dev instance (used for testing):

Steps to test:

  • Run yarn audit.

Issues:

  • Ready for review

@daniel-wer daniel-wer self-assigned this Mar 4, 2019
philippotto
philippotto approved these changes Mar 5, 2019
View reviewed changes
Copy link
Member

@philippotto philippotto left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome 💯

@philippotto
Copy link
Member

For the record: We decided to merge this on Thursday.

@daniel-wer daniel-wer merged commit c62a47c into master Mar 7, 2019
@daniel-wer daniel-wer deleted the fix-vulnerable-packages branch March 7, 2019 12:11
@hotzenklotz hotzenklotz mentioned this pull request Jan 3, 2024
Merged
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@philippotto philippotto philippotto approved these changes

Assignees

@daniel-wer daniel-wer

Labels
security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Fix security alerts
2 participants
@daniel-wer @philippotto