@mahoneycm

When running npx snyk test I'm receiving a third failure on develop that persists on this branch.

This is after removing node_modules and package-lock.json?

uswds-compile on  jm-update-dependencies via  v18.15.0 via 💎 v2.7.2 
➜ rm -rf node_modules package-lock.json             
npm %                                                                                                                                                                     

uswds-compile on  jm-update-dependencies [✘] via  v18.15.0 via 💎 v2.7.2 
➜ npm i                                             
npm WARN deprecated [email protected]: See https://github.com/lydell/source-map-url#deprecated
npm WARN deprecated [email protected]: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated [email protected]: See https://github.com/lydell/source-map-resolve#deprecated
npm WARN deprecated [email protected]: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated [email protected]: See https://github.com/lydell/source-map-resolve#deprecated
npm WARN deprecated [email protected]: The v1 package contains DANGEROUS / INSECURE binaries. Upgrade to safe fsevents v2
npm WARN deprecated [email protected]: Chokidar 2 does not receive security updates since 2019. Upgrade to chokidar 3 with 15x fewer dependencies

added 512 packages, and audited 513 packages in 13s

45 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

uswds-compile on  jm-update-dependencies [!1] via  v18.15.0 via 💎 v2.7.2 took 13s 
➜ npx snyk test                                     

Testing /Users/jmejia-a/web/uswds-compile...

Organization:      uswds
Package manager:   npm
Target file:       package-lock.json
Project name:      @uswds/compile
Open source:       no
Project path:      /Users/jmejia-a/web/uswds-compile
Licenses:          enabled

✔ Tested 415 dependencies for known issues, no vulnerable paths found.

Next steps:
- Run `snyk monitor` to be notified about new related vulnerabilities.
- Run `snyk test` as part of your CI/test.

I'm also receiving an error during buildSass on the following fulp tasks

• compile
• compileSass
• updateUswds // runs compile mentioned above

Error: Cannot find module '../../uswds/package.json'

If I update the path to package.json I'm able to resolve it

-  const pkg = require(`../../${uswdsPath}/package.json`).version;
+  const pkg = require(`../${uswdsPath}/package.json`).version; 

Curious why I've received this error if you haven't!

You need a test project to run the Compile tasks. I've updated notes to point to uswds/uswds-sandbox at test-compile-60. Thanks for pointing that out.

@mejiaj This is looking good, but I had trouble removing the vulnerabilities when I installed this branch on uswds-site (notes below). It looks like you ran into a similar issue as described in your PR description. I am not sure if that is an issue with the install method or with the overrides themselves, just wanted to flag it.

• Successfully completed all steps to confirm vulnerabilities in develop

• Successfully completed all steps to confirm 0 vulnerabilities and no snyk errors in this branch

• Confirmed that all gulp tasks work when installed on a local uswds and uswds-compile project

• Confirmed dependencies are now on their latest version (with the exception of del)

• Confirmed dependency table in the PR description matches updated dependencies

• Confirmed this branch removes unset-value and glob-parent snyk errors in uswds-site

  • When I install the jm-update-dependencies branch in uswds-site, via both npm link and installing the remote branch, it shows 6 high severity vulnerabilities and does not resolve glob-parent or unset-value snyk errors. I confirmed that @uswds/compile had the overrides in its package.json.

@amyleadem I was able to reproduce the last note and not sure why that's happening. It might be an issue with npm audit, but the main focus was handling the issues in this repo.

@mahoneycm can you do a clean install and test again?

@mejiaj same issue as before:

@mahoneycm thanks for that info! npm ci has a dependency on existing package-lock that it's showing older vulnerabilities.

This command is similar to npm install, except it's meant to be used in automated environments such as test platforms, continuous integration, and deployment -- or any situation where you want to make sure you're doing a clean install of your dependencies.

Source: NPMJS on npm ci →.

I wasn't able to reproduce this issue via npm install in both node v16 and v18.

I've updated dependencies and run npm audit fix in b37aee6.

And now we're back to zero vulnerabilities.

# 07/12/23 - After `npm audit fix`.
uswds-compile on jm-update-dependencies [+] via NPM v18.15.0 
→ npm audit fix

changed 2 packages, and audited 513 packages in 478ms

39 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

As of 09/07/23 there are still 0 vulnerabilities. This is ready for review & merge @thisisdano.

Moving additional dep updates to a new issue #71.

On a fresh install where @uswds/compile is the only dependency, I am finding that it hangs on caniuse-lite. Then after about 15mins, my computer runs out of memory and crashes. I am on node 16.19.1.

FWIW -- I downgraded to node 14.21.3 and got it working, I think 😊

@jeremyzilar could you try node 20? That's the latest LTS version.