Updates to resolve vulnerability warnings #24
Conversation
I'm running the newest version of macOS, which has issues with older versions of fsevents, which is pulled in because of react-scripts. As a result, I cannot run unit tests against this update. I'll tackle react-scripts next, since it's dependencies are the source of 69 vulnerabilities.
The unit tests are passing and storybook is working, but there are a couple of lingering error messages that need to be looked into.
Storybook was spewing warnings about using default exports in the same file as storiesOf(), so I modified the stories to remove the default keyword. The exports are still available, but they're no longer the default. The unit tests were modified to use the new non-default exports from the stories. In a couple of cases, inconsistencies in the names of the imported/exported items were fixed.
oneOf() checks values, oneOfType() checks types which is what was actually desired.
johnworth
changed the title
|
I'm seeing the following deprecation warning, but it seems to require an update of something provided my material-ui so I left it alone for now:
|
| @@ -6,7 +6,7 @@ import React, { Component } from "react"; | |||
| import CopyTextArea from "../src/components/copy/CopyTextArea"; | |||
| import { storiesOf } from "@storybook/react"; | |||
|
|
|||
| export default class CopyTextAreaTest extends Component { | |||
| export class CopyTextAreaTest extends Component { | |||
There was a problem hiding this comment.
Can you provide the error/warning you're getting that prompted this change? I'm not seeing anything on my machine when I run Storybook.
There was a problem hiding this comment.
I'm seeing this in the Actions pane in Storybook:
There was a problem hiding this comment.
That's what I'm seeing on the master branch, I should add.
| @@ -22,7 +23,8 @@ | |||
| "react": "^16.8.6", | |||
| "react-dom": "^16.8.6", | |||
| "react-intl": "^2.9.0", | |||
| "react-select": "^2.0.0" | |||
| "react-select": "^2.0.0", | |||
There was a problem hiding this comment.
This is where you're getting the componentWillReceiveProps warning. Looks like they recently pushed out v3.0.7 which has the fix for this. Since they bumped a major version though, we may have to update our Autocomplete component for any breaking changes.
There was a problem hiding this comment.
Thanks, good to know. I had a suspicion that's where it was coming from based on the error message, but since it was just a warning I didn't want to risk breaking a ton of stuff.
There was a problem hiding this comment.
Or move onto https://material-ui.com/components/autocomplete/
| @@ -22,7 +23,8 @@ | |||
| "react": "^16.8.6", | |||
| "react-dom": "^16.8.6", | |||
| "react-intl": "^2.9.0", | |||
| "react-select": "^2.0.0" | |||
| "react-select": "^2.0.0", | |||
| "typescript": "^3.7.3" | |||
There was a problem hiding this comment.
This peer dependency will currently not work with the DE. We could go with a branching strategy like you suggested, but then I'm not sure how that will work since we push and build ui-lib as a version to npm 🤔 I'm not sure if we want to just version lock the DE to whatever version it's at now and let Sonora get all the updates?
There was a problem hiding this comment.
Yeah, I think we can limit the DE to the current major version (allowing for bug fixes as minor version updates), but let the Sonora get the latest updates. Honestly, I think that's going to be required.
There was a problem hiding this comment.
For clarification, I mean something like limit the DE to ^1.0.0 (just as an example) which is built and pushed to npm from the DE branch, while master continues to have the lastest code starting with version 2.0.0. I pulled those version numbers out of the air just as examples.
| @@ -79,7 +79,7 @@ CopyTextArea.propTypes = { | |||
| debugIdPrefix: PropTypes.string, | |||
| multiline: PropTypes.bool, | |||
| text: PropTypes.string.isRequired, | |||
| btnText: PropTypes.oneOf([PropTypes.string, PropTypes.object]), | |||
| btnText: PropTypes.oneOfType([PropTypes.string, PropTypes.object]), | |||
There was a problem hiding this comment.
oops, that was my tpyo, thanks for fixing!
|
I'll bump up the version here and create a branch/tag to maintain a build for the old DE. |
|
After discussing things with Sarah and Sriram a bit, I'm going to go ahead and merge this. |
|
Thanks for the reviews! |
When ui-lib was pulled into neat-example, npm started reporting over 2k vulnerabilities. This pull request is an attempt to get that number as close to 0 as possible.
This required an update to react-scripts. Its dependencies are a source of ~70 vulnerabilities, plus I can't get unit tests to run on newer versions of macOS without an upgrade.