Fix security vulnerabilities detected by Dependabot #55
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dehoward
added
webapp
alliscode
approved these changes
Jul 27, 2023
4 tasks
github-merge-queue bot
pushed a commit
that referenced
this pull request
Jul 27, 2023
### Motivation and Context <!-- Thank you for your contribution to the copilot-chat repo! Please help reviewers and future users, providing the following information: 1. Why is this change required? 2. What problem does it solve? 3. What scenario does it contribute to? 4. If it fixes an open issue, please link to the issue here. --> removes unused packages/commands from our `package.json`. ### Description <!-- Describe your changes, the overall approach, the underlying design. These notes will help understanding how your code works. Thanks! --> - removes packages not imported into the app - removes the `depcheck` command as this is a tool that should be run globally and not included in the project. we may want to look into having a job run this command periodically to clean up the packages, but we shouldn't be adding packages that aren't used anyway. - removes the `packaage-lock.json` accidentally added in #55 ### Contribution Checklist <!-- Before submitting this PR, please make sure: --> - [x] The code builds clean without any errors or warnings - [x] The PR follows the [Contribution Guidelines](https://github.com/microsoft/copilot-chat/blob/main/CONTRIBUTING.md) and the [pre-submission formatting script](https://github.com/microsoft/copilot-chat/blob/main/CONTRIBUTING.md#development-scripts) raises no violations - [x] All unit tests pass, and I have added new tests where possible - [x] I didn't break anyone 😄
teamleader-dev
pushed a commit
to vlink-group/chat-copilot
that referenced
this pull request
Oct 7, 2024
### Motivation and Context <!-- Thank you for your contribution to the copilot-chat repo! Please help reviewers and future users, providing the following information: 1. Why is this change required? 2. What problem does it solve? 3. What scenario does it contribute to? 4. If it fixes an open issue, please link to the issue here. --> addresses the 6 [security vulnerabilities](https://github.com/microsoft/chat-copilot/security/dependabot) detected by Dependabot. ### Description - removes `vsts-npm-auth` and `better-vsts-npm-auth` since these packages are intended to be installed globally - moves `react-scripts` to `devDependencies`: - this is the recommended fix for resolving vulnerabilities from transitive dependencies of `react-scripts`: facebook/create-react-app#11174 - with a [recent change](https://github.blog/2023-05-02-dependabot-relieves-alert-fatigue-from-npm-devdependencies/) made by Github, Dependabot should now be smarter in catching false positives that come from devDependencies and we shouldn't have these alerts in the future. <!-- Describe your changes, the overall approach, the underlying design. These notes will help understanding how your code works. Thanks! --> ### Contribution Checklist <!-- Before submitting this PR, please make sure: --> - [ ] The code builds clean without any errors or warnings - [ ] The PR follows the [Contribution Guidelines](https://github.com/microsoft/copilot-chat/blob/main/CONTRIBUTING.md) and the [pre-submission formatting script](https://github.com/microsoft/copilot-chat/blob/main/CONTRIBUTING.md#development-scripts) raises no violations - [ ] All unit tests pass, and I have added new tests where possible - [ ] I didn't break anyone 😄
teamleader-dev
pushed a commit
to vlink-group/chat-copilot
that referenced
this pull request
Oct 7, 2024
### Motivation and Context <!-- Thank you for your contribution to the copilot-chat repo! Please help reviewers and future users, providing the following information: 1. Why is this change required? 2. What problem does it solve? 3. What scenario does it contribute to? 4. If it fixes an open issue, please link to the issue here. --> removes unused packages/commands from our `package.json`. ### Description <!-- Describe your changes, the overall approach, the underlying design. These notes will help understanding how your code works. Thanks! --> - removes packages not imported into the app - removes the `depcheck` command as this is a tool that should be run globally and not included in the project. we may want to look into having a job run this command periodically to clean up the packages, but we shouldn't be adding packages that aren't used anyway. - removes the `packaage-lock.json` accidentally added in microsoft#55 ### Contribution Checklist <!-- Before submitting this PR, please make sure: --> - [x] The code builds clean without any errors or warnings - [x] The PR follows the [Contribution Guidelines](https://github.com/microsoft/copilot-chat/blob/main/CONTRIBUTING.md) and the [pre-submission formatting script](https://github.com/microsoft/copilot-chat/blob/main/CONTRIBUTING.md#development-scripts) raises no violations - [x] All unit tests pass, and I have added new tests where possible - [x] I didn't break anyone 😄
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation and Context
addresses the 6 security vulnerabilities detected by Dependabot.
Description
vsts-npm-authandbetter-vsts-npm-authsince these packages are intended to be installed globallyreact-scriptstodevDependencies:react-scripts:Help,
npm auditsays I have a vulnerability in react-scripts! facebook/create-react-app#11174Contribution Checklist