Thanks to visit codestin.com
Credit goes to github.com

Skip to content

USWDS - Dependencies: POAM March ‘24 #5800

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Mar 6, 2024
Merged

USWDS - Dependencies: POAM March ‘24 #5800

merged 6 commits into from
Mar 6, 2024

Conversation

mahoneycm
Copy link
Contributor

@mahoneycm mahoneycm commented Mar 4, 2024
edited
Loading

Summary

Resolves 4 dependency vulnerabilities.

Before: 44 vulnerabilities (1 low, 18 moderate, 25 high)

After: 40 vulnerabilities (15 moderate, 25 high)

Breaking change

This is not a breaking change.

Related issue

Closes #5780

Closes #5717

Preview link

Storybook preview →

Problem statement

Various dependencies were causing moderate and low security vulnerabilities

Solution

Bump dependencies with resolving updates.

Major changes

Npm audit fix automatically removed the uswds-core workspace from package-lock in d731d79. This will happen after running npm install on develop as well. I believe this may be a result of removing the uswds-core package.json file in #5673.

package-lock.json

- "workspaces": [
-   "packages/uswds-core"
- ],

Testing and review

  1. Run npm install.
  2. Run npm start.
  3. Update a SASS file and see it update in StorybookJS.
  4. Running npx gulp sassTests or npm run test should not fail.
  5. Run gulp tasks (like build) and ensure there aren't errors and things build correctly
  6. Installing on site does not cause any installation or build errors

Dependency updates

Dependency name Previous version New version
resolve-url-loader 4.0.0 5.0.0

dependabot bot and others added 6 commits January 11, 2024 03:32
@dependabot
Bump follow-redirects from 1.15.3 to 1.15.4
622ee9a 
Bumps [follow-redirects](https://github.com/follow-redirects/follow-redirects) from 1.15.3 to 1.15.4.
- [Release notes](https://github.com/follow-redirects/follow-redirects/releases)
- [Commits](follow-redirects/follow-redirects@v1.15.3...v1.15.4)

---
updated-dependencies:
- dependency-name: follow-redirects
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot
Bump ip from 2.0.0 to 2.0.1
9a61e44 
Bumps [ip](https://github.com/indutny/node-ip) from 2.0.0 to 2.0.1.
- [Commits](indutny/node-ip@v2.0.0...v2.0.1)

---
updated-dependencies:
- dependency-name: ip
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
@mahoneycm
Npm audit fix
d731d79
@mahoneycm
Merge branch 'dependabot/npm_and_yarn/ip-2.0.1' of github.com:uswds/u…
21267b5 
…swds into cm-POAM-march-24
@mahoneycm
Merge branch 'dependabot/npm_and_yarn/follow-redirects-1.15.4' of git…
66fb5bc 
…hub.com:uswds/uswds into cm-POAM-march-24
@mahoneycm
Bump resolve-url-loader
dea8782
@mahoneycm mahoneycm requested review from amyleadem and mejiaj March 4, 2024 18:28
@amyleadem amyleadem added this to the uswds 3.8.0 milestone Mar 4, 2024
amyleadem
amyleadem approved these changes Mar 4, 2024
View reviewed changes
Copy link
Contributor

@amyleadem amyleadem left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mahoneycm Everything seemed to be working well after this change. One question: The PR description mentions multiple dependency changes but the package.json shows only one change. My understanding was that we only listed package.json changes there, but I'm also not sure if that is true! Flagging for discussion so that the PR description shows the changes that should be included in the release notes.

  • Confirm the dependency changes match the PR description
  • Confirm the dependency warning count
    • 40 vulnerabilities (15 moderate, 25 high)
  • Confirm the following run without error:
    • Fresh npm install
    • npm run start
    • npm run build:html
    • npm run test:ci
    • gulp

@mahoneycm
Copy link
Contributor Author

@amyleadem Oh that's a good point! I included them because they were causing dependabot alerts and reported vulnerabilities via npm audit but I'm unsure if those vulnerabilities will be passed onto the user and therefore not needed to be mentioned here 🤔

@mejiaj What are your thoughts here?

@mahoneycm mahoneycm mentioned this pull request Mar 4, 2024
Closed
4 tasks
@amyleadem amyleadem mentioned this pull request Mar 5, 2024
Merged
@mejiaj
Copy link
Contributor

mejiaj commented Mar 5, 2024

As discussed in 03/05/24 dev sync

We'll only list direct dependencies in table because of the complexity of tracking multiple nested deps. We can revisit in the future if this is something we need to start tracking.

@mahoneycm
Copy link
Contributor Author

Updated the dependency table to only feature the package.json update 👍

mejiaj
mejiaj approved these changes Mar 6, 2024
View reviewed changes
Copy link
Contributor

@mejiaj mejiaj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Found no issues with update or with dependencies we're using webpack 5+.

package.json
"postcss-preset-env": "9.3.0",
"prettier": "2.8.8",
"react-dom": "17.0.2",
"resolve-url-loader": "4.0.0",
Copy link
Contributor

@mejiaj mejiaj Mar 6, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dependency updates

Changelog for resolve-url-loader in 5.0.0.

Breaking changes

- Require node>=12.
- Support only webpack>=4.
- Update to postcss@^8.
- Remove rework engine (which was deprecated in V4).

Bugfixes

- Fix log messages not correctly normalising absolute paths to posix style on Windows platform
- Fixes to end-to-end tests and test framework.

Source: Release 5.0.0 · bholloway/resolve-url-loader

@mejiaj mejiaj requested a review from thisisdano March 6, 2024 14:30
@amyleadem amyleadem mentioned this pull request Mar 6, 2024
Closed
8 tasks
@mejiaj
Copy link
Contributor

mejiaj commented Mar 6, 2024

I've added this note to Dependencies and security section 3.8.0 draft release notes1.

Footnotes

  1. https://github.com/uswds/uswds/releases

@thisisdano thisisdano merged commit 90617b4 into develop Mar 6, 2024
@thisisdano thisisdano deleted the cm-POAM-march-24 branch March 6, 2024 20:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

3 more reviewers

@mejiaj mejiaj mejiaj approved these changes

@thisisdano thisisdano thisisdano approved these changes

@amyleadem amyleadem amyleadem approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

USWDS Core Project Data
Archived in project

Milestone

uswds 3.8.0

Development

Successfully merging this pull request may close these issues.

4 participants

@mahoneycm @mejiaj @thisisdano @amyleadem