Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Updated dependencies to fix security issues #485

Merged
merged 1 commit into from
Apr 15, 2019
Merged

Updated dependencies to fix security issues #485

merged 1 commit into from
Apr 15, 2019

Conversation

chill117
Copy link
Contributor

@chill117 chill117 commented Dec 24, 2018
edited
Loading

Removed common-style (deprecated, depends on unpatched packages)

@BigBlueHat
Copy link
Member

Thanks for sending these! We've actually got quite a tangle of dependencies that need upgrading (or removing/reconsidering).

@thornjad not sure if this is the "tip of the spear" in that regard or not, but certainly bumping all the versions is important before the next major (and possibly next minor--if we can avoid BC breaks) release.

@BigBlueHat BigBlueHat added major version Major, potentially breaking, change needs-investigation labels Jan 25, 2019
@thornjad
Copy link
Member

I certainly agree this is important. However I do think we need to replace common-style rather than just remove it. I think eslint is a good contender, though there are several other good options as well.

thornjad
thornjad requested changes Jan 27, 2019
View reviewed changes
Copy link
Member

@thornjad thornjad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For the most part, I would prefer to leave most of these with the ^ (meaning any minor version greater than the one specified), so we don't have to update package.json often. To that end, I'd request that most if not all of the package version here start with ^.

package.json Outdated Show resolved Hide resolved
package.json Outdated Show resolved Hide resolved
@lvl99
Copy link

lvl99 commented Feb 3, 2019

Apparently the version of qs used in http-server has some potential issues: https://app.snyk.io/test/npm/http-server/0.11.1

@thornjad
Copy link
Member

thornjad commented Feb 5, 2019
edited
Loading

@lvl99 you're right, and it's already fixed in the next version of union, so updating dependencies should fix that. It's because of that vulnerability that this is high on my radar.

@chill117 would you mind changing this to use version ranges instead of specific versions? You can also mark this as addressing #461

@chill117
Updated dependencies to fix security issues
72d7614 
Removed common-style (deprecated, depends on unpatched packages)

Issue #461
@chill117
Copy link
Contributor Author

chill117 commented Feb 7, 2019

I've updated the version numbering to include ~ and ^ where appropriate. I returned common and the pretest for code-style checking - to limit the scope of this PR to updating non-dev dependencies.

@BigBlueHat BigBlueHat self-requested a review February 19, 2019 19:07
@BigBlueHat
Copy link
Member

@thornjad there's a suggestion for prettier as a replacement to common-style in #494. Certainly this can wait, but wanted to connect dots.

This looks good to merge (pending your merge-train 🚆). 😄

@thornjad
Copy link
Member

Choo choo!

I also made a suggestion of eslint in #497, but I meant that more as a discussion (and didn't see #494 come in before it). And of course draft PRs become a thing just after I need it.

@thornjad thornjad added this to the v0.12.0 milestone Feb 28, 2019
@thornjad thornjad merged commit 72d7614 into http-party:master Apr 15, 2019
thornjad added a commit that referenced this pull request Apr 15, 2019
@thornjad
Merge pull request #485 from chill117/update-de...
68b48eb 
...ps-to-fix-security-issues

Updated dependencies to fix security issues
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@BigBlueHat BigBlueHat BigBlueHat approved these changes

@thornjad thornjad thornjad approved these changes

Assignees
No one assigned
Labels
major version Major, potentially breaking, change
Projects
None yet
Milestone
v0.12.0
Development

Successfully merging this pull request may close these issues.
4 participants
@chill117 @BigBlueHat @thornjad @lvl99