Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

build: update vulnerable dependencies #166

Merged
merged 3 commits into from
Oct 2, 2021
Merged

build: update vulnerable dependencies #166

merged 3 commits into from
Oct 2, 2021

Conversation

barrett-schonefeld
Copy link
Contributor

@barrett-schonefeld barrett-schonefeld commented Sep 29, 2021

I updated to the latest version of Jest, which removes the dependency on set-value.

@padamstx
Copy link
Member

@barrett-schonefeld The two dependabot alerts that we're seeing in the node core indicate that the following dependency upgrades need to be made:

  1. semver-regex >=3.1.3 (there's actually a PR open for this change)
  2. set-value >=4.0.1 (that would be a major version change, so not sure if that would break anything).

I don't think your proposed changes address either of those, do they? In fact, I'm not really seeing any version # changes at all... looks like the only changes are the removal of the "bundled" lines from package-lock.json.

I'll go ahead and merge in the semver-regex-related PR that was opened up by dependabot automatically, as that will at least address one of the vulnerabilities.

@barrett-schonefeld
Copy link
Contributor Author

I don't think your proposed changes address either of those, do they?

Not initially, but now I updated Jest to the latest, which removes set-value as a dependency.

I'll go ahead and merge in the semver-regex-related PR that was opened up by dependabot automatically, as that will at least address one of the vulnerabilities.

I rebased after you merged the semver-regex work, so both vulnerabilities should be resolved.

@barrett-schonefeld barrett-schonefeld requested review from padamstx and dpopp07 and removed request for dpopp07 and padamstx September 30, 2021 14:31
@barrett-schonefeld
Copy link
Contributor Author

Not initially, but now I updated Jest to the latest, which removes set-value as a dependency.

I need to update some of the tests to work with the latest version of Jest.

@barrett-schonefeld
Copy link
Contributor Author

Removed the use of done in async tests because Jest@27 does not allow tests to both utilize done and return a promise.

For more information on this change, see this Jest issue.

Copy link
Member

@padamstx padamstx left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Copy link
Member

@dpopp07 dpopp07 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! Thanks for doing this, Barrett. Glad to finally be rid of the redundant done() calls 🙂

@padamstx padamstx merged commit 361086d into main Oct 2, 2021
@padamstx padamstx deleted the update-dependencies branch October 2, 2021 22:53
Andras-Csanyi added a commit to IBM/platform-services-node-sdk that referenced this pull request Oct 12, 2021
@ibm-devx-sdk
Copy link

🎉 This PR is included in version 2.15.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

JurajNyiri pushed a commit to JurajNyiri/node-sdk-core that referenced this pull request Aug 22, 2024
Generated SDK source code using:
- Generator version 3.26.0
- Specification version 1.0.0-dev0.0.31
- Automation (cloudant-sdks) version 26148a0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants