Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade all patch- and minor level packages. #670

Closed
wants to merge 9 commits into from
Closed

Upgrade all patch- and minor level packages. #670

wants to merge 9 commits into from

Conversation

sesam
Copy link

@sesam sesam commented Oct 1, 2021
edited
Loading

Description

I ran yarn upgrade-interactive and since all the packages listed as possible to upgrade were either patch- or minor upgrades, they should be safe.
This PR does all those upgrades, as it seems dependabot did not get around to handling all of them.

Motivation and Context

We've discovered a vulnerable package is used by this package, and as this is a production issue, we want to get it patched and are able to help making that happen.

How has this been tested?

Looking for any already implemented test code now. Will also test this in our product that depends on this.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)

Checklist:

  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.

dependabot bot and others added 9 commits August 15, 2021 16:28
@dependabot
chore(deps): bump hosted-git-info from 2.8.8 to 2.8.9
452d4bd 
Bumps [hosted-git-info](https://github.com/npm/hosted-git-info) from 2.8.8 to 2.8.9.
- [Release notes](https://github.com/npm/hosted-git-info/releases)
- [Changelog](https://github.com/npm/hosted-git-info/blob/v2.8.9/CHANGELOG.md)
- [Commits](npm/hosted-git-info@v2.8.8...v2.8.9)

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
chore(deps): bump y18n from 4.0.0 to 4.0.3
1298122 
Bumps [y18n](https://github.com/yargs/y18n) from 4.0.0 to 4.0.3.
- [Release notes](https://github.com/yargs/y18n/releases)
- [Changelog](https://github.com/yargs/y18n/blob/y18n-v4.0.3/CHANGELOG.md)
- [Commits](yargs/y18n@v4.0.0...y18n-v4.0.3)

---
updated-dependencies:
- dependency-name: y18n
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
chore(deps): bump path-parse from 1.0.6 to 1.0.7
5392199 
Bumps [path-parse](https://github.com/jbgutierrez/path-parse) from 1.0.6 to 1.0.7.
- [Release notes](https://github.com/jbgutierrez/path-parse/releases)
- [Commits](https://github.com/jbgutierrez/path-parse/commits/v1.0.7)

---
updated-dependencies:
- dependency-name: path-parse
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
chore(deps): bump tmpl from 1.0.4 to 1.0.5
9316222 
Bumps [tmpl](https://github.com/daaku/nodejs-tmpl) from 1.0.4 to 1.0.5.
- [Release notes](https://github.com/daaku/nodejs-tmpl/releases)
- [Commits](https://github.com/daaku/nodejs-tmpl/commits/v1.0.5)

---
updated-dependencies:
- dependency-name: tmpl
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@sesam
Upgrade all patch- and minor level packages.
6b6ef8b
@sesam
Merge remote-tracking branch 'upstream/dependabot/npm_and_yarn/y18n-4…
5908c5b 
….0.3' into upgrade/greens-and-yellows
@sesam
Merge remote-tracking branch 'upstream/dependabot/npm_and_yarn/tmpl-1…
6987060 
….0.5' into upgrade/greens-and-yellows
@sesam
Merge remote-tracking branch 'upstream/dependabot/npm_and_yarn/hosted…
0b2217e 
…-git-info-2.8.9' into upgrade/greens-and-yellows
@sesam
Merge remote-tracking branch 'upstream/dependabot/npm_and_yarn/path-p…
fa51120 
…arse-1.0.7' into upgrade/greens-and-yellows
@sesam
Copy link
Author

sesam commented Oct 1, 2021

I updated this PR with adding all currently open dependabot PRs so it can all be tested together, making it less work at least from my point of view.

@chimurai
Copy link
Owner

chimurai commented Oct 1, 2021
edited
Loading

We've discovered a vulnerable package is used by this package, and as this is a production issue, we want to get it patched and are able to help making that happen.

Could you share those details? Which production dependency are you referring to?

AFAIK the dependabot PRs is only updating devDependencies.
Those dev dependencies and (dependencies in lock files) won't be installed if you consume http-proxy-middleware normally.

@chimurai
Copy link
Owner

chimurai commented Oct 1, 2021

fixed in #671

thanks for reminder to update dev dependencies

@chimurai chimurai closed this Oct 1, 2021
@sesam
Copy link
Author

sesam commented Oct 11, 2021

Thanks for solving this issue!
Will share details once we get all-clear from automated security scans.
(I also notice this PR registered under Hacktoberfest, but as this PR is closed I'll try and just delete this branch, and see if that clears it away from my profile.)

@sesam sesam deleted the upgrade/greens-and-yellows branch October 11, 2021 06:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sesam @chimurai