Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependencies #145

Closed
wants to merge 10 commits into from
Closed

Update dependencies #145

wants to merge 10 commits into from

Conversation

JM-Lemmi
Copy link

@JM-Lemmi JM-Lemmi commented Feb 2, 2022
edited
Loading

Hey,

I have updated all the dependencies of the project with yarn upgrade. These changes have been tested on our fork and I could not find any incompatibilities.

On our fork I also moved the containers to rolling releases instead of fixed releases (to make keeping the images up to date easier without code changes) as well as removing the eslint graphql plugin, as it has a fixed vulnerable dependency as well as being deprecated by the authors. If you also wan't those commits just lmk and I'll pick the to this branch.

Cheers!
Lemmi

dependabot bot and others added 10 commits February 2, 2022 18:36
@dependabot @JM-Lemmi
Bump follow-redirects from 1.14.4 to 1.14.7 in /api
83f4b3a 
Bumps [follow-redirects](https://github.com/follow-redirects/follow-redirects) from 1.14.4 to 1.14.7.
- [Release notes](https://github.com/follow-redirects/follow-redirects/releases)
- [Commits](follow-redirects/follow-redirects@v1.14.4...v1.14.7)

---
updated-dependencies:
- dependency-name: follow-redirects
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot @JM-Lemmi
Bump markdown-it from 12.2.0 to 12.3.2 in /front
3130341 
Bumps [markdown-it](https://github.com/markdown-it/markdown-it) from 12.2.0 to 12.3.2.
- [Release notes](https://github.com/markdown-it/markdown-it/releases)
- [Changelog](https://github.com/markdown-it/markdown-it/blob/master/CHANGELOG.md)
- [Commits](markdown-it/markdown-it@12.2.0...12.3.2)

---
updated-dependencies:
- dependency-name: markdown-it
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot @JM-Lemmi
Bump nanoid from 3.1.30 to 3.2.0 in /front
024f5ef 
Bumps [nanoid](https://github.com/ai/nanoid) from 3.1.30 to 3.2.0.
- [Release notes](https://github.com/ai/nanoid/releases)
- [Changelog](https://github.com/ai/nanoid/blob/main/CHANGELOG.md)
- [Commits](ai/nanoid@3.1.30...3.2.0)

---
updated-dependencies:
- dependency-name: nanoid
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
@frereit @JM-Lemmi
Merge pull request #23 from DU4L/dependabot/npm_and_yarn/api/follow-r…
bba5146 
…edirects-1.14.7

Bump follow-redirects from 1.14.4 to 1.14.7 in /api
@dependabot @JM-Lemmi
Merge pull request #24 from DU4L/dependabot/npm_and_yarn/front/markdo…
79b18d5 
…wn-it-12.3.2
@dependabot @JM-Lemmi
Bump follow-redirects from 1.14.5 to 1.14.7 in /front
54803f0 
Bumps [follow-redirects](https://github.com/follow-redirects/follow-redirects) from 1.14.5 to 1.14.7.
- [Release notes](https://github.com/follow-redirects/follow-redirects/releases)
- [Commits](follow-redirects/follow-redirects@v1.14.5...v1.14.7)

---
updated-dependencies:
- dependency-name: follow-redirects
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot @JM-Lemmi
Merge pull request #26 from DU4L/dependabot/npm_and_yarn/front/nanoid…
dfc4c48 
…-3.2.0
@dependabot @JM-Lemmi
Merge pull request #25 from DU4L/dependabot/npm_and_yarn/front/follow…
9efe65d 
…-redirects-1.14.7
@JM-Lemmi
yarn upgrade
fdcc994
@JM-Lemmi
fix more yarn dependencies
b3f63d8
@XeR XeR changed the base branch from main to dev February 5, 2022 15:28
@XeR
Copy link
Contributor

XeR commented Feb 5, 2022

Hello, thanks for your interest in CTFNote.

I have updated all the dependencies of the project with yarn upgrade.

We did the same on dev a few days ago. (#143)
It's not on main yet because the vulnerabilities do not impact us. (Feel free to prove me wrong :-) )

I changed your PR to rebase to dev instead of main.

On our fork I also moved the containers to rolling releases instead of fixed releases

What is the point ? New features usually don't code themselves.
On the other hand, this might introduce breaking changes without anybody noticing.
I'm not feeling like gambling with other people's infra. I think we'll keep upgrading Dockerfile by hand.

as well as removing the eslint graphql plugin, as it has a fixed vulnerable dependency as well as being deprecated by the authors

Did you replace it with the recommended alternative, or did you just drop it ? cf. #144
Since this is dependency only used by devs, I want to have @JJ-8, @B-i-t-K and @SakiiR's input before touching this.

FTR, the vulns in question are:
https://www.npmjs.com/advisories/1004946 (ReDoS, in 3 dependencies)
https://www.npmjs.com/advisories/1005162 (ReDoS)
https://www.npmjs.com/advisories/1006899 (Cookies/Authorization headers get sent after a 30x to a different domain, not sure how this makes sense for a linter)

@JJ-8
Copy link
Collaborator

JJ-8 commented Feb 7, 2022

I am perfectly fine with dropping the graphql plugin if it removes vulnerabilities. Replacing is also great, but I don't mind.

@JM-Lemmi JM-Lemmi closed this Mar 9, 2022
@JM-Lemmi JM-Lemmi deleted the update_dependencies branch April 24, 2022 12:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@JM-Lemmi @XeR @JJ-8 @frereit