Security upgrades #203

euanmillar · 2022-03-30T15:23:43Z

Dependencies with Critical vulnerabilities:

fixed broken tests
tap -> Bumped up from 10.1 to 12.6
talisman -> Bumped up from 0.21.0 to 1.1.4
standard -> Bumped up from 8.6.0 to 11.0.0
fhir -> Used yarn resolutions for lodash and xmlbuilder

Dependencies with High vulnerabilities:

tap -> Bumped up from 12.6 to 14.10
mongodb -> Bumped up from 2.2.22 to 3.5.4
codecov -> Bumped up from 3.6.1 to 3.8.3
nconf -> Bumped up from 0.10.0 to 0.11.3
libxmljs -> Already at the latest version that is currently available so need to use yarn resolutions for its dependencies
- node-pre-gyp -> This package is now deprecated
  - tar -> Added resolution for tar 4.4.19
  - ini

Dependencies with Moderate vulnerabilities:

snazzy -> Bumped up from 8.0.0 to 9.0.0
standard -> Bumped up from 11.0.0 to 16.0.4
tap -> Bumped up from 14.10 to 15.2.3
urijs -> Bumped up from 1.19.2 to 1.19.10
jsprim -> Bumped up from 1.4.1 to 1.4.2

Node engine limitation

Previously hearth was limited to using node >= 6.9.0 and < 9.0.0 because using anything newer
would cause the build process to fail. The issue was actually with fhir->libxmljs->nan and using
libxmljs >= 0.18.8 made it possible to remove the engine limitation.

Now it works with node v14.18.1

The main issue which was preventing hearth from building was in libxmljs->nan and it was fixed in nan >= 2.8.0 which is used in libxmljs >= 0.18.8

Some tests fail if the tests run in parallel.

Tar is a dependency of libxmljs->node-pre-gyp and libxmljs is already at the latest version that is currently available. Furthermore, node-pre-gyp is now deprecated so had to add resolution directly for tar.

Zangetsu101 added 25 commits March 30, 2022 16:15

Fix broken tests

aade0ef

Bump up tap from 10.1 to 12.6

7bb65b4

Bump up talisman from 0.21.0 to 1.1.4

50b66da

Bump up standard from 8.6.0 to 11.0.0

36179be

Bump up standard from 11.0.0 to 12.0.1

67317f2

Bump up mongodb from 2.2.22 to 3.5.4

d156dd3

Remove engine limitations

895bf29

The main issue which was preventing hearth from building was in libxmljs->nan and it was fixed in nan >= 2.8.0 which is used in libxmljs >= 0.18.8

Bump up tap from 12.6 to 14.10

fbf9c32

Make tests run serially

8cd1fb0

Some tests fail if the tests run in parallel.

Bump up nconf from 0.10.0 to 0.11.3

8c36e14

Bump up codecov from 3.6.1 to 3.8.3

8430344

Add resolution for tar 4.4.19

31ba9b4

Tar is a dependency of libxmljs->node-pre-gyp and libxmljs is already at the latest version that is currently available. Furthermore, node-pre-gyp is now deprecated so had to add resolution directly for tar.

Upgrade ini to 1.3.8

7872e59

Bump up standard from 12.0.1 to 13.1.0

cbd9583

Bump up standard from 13.1.0 to 14.3.4

3363ced

Dedup 'mkdirp' in lock file

c7bf7f0

Upgrade hosted-git-info

781ffe1

Dedup minmist

cbe4005

Bump up snazzy from 8.0.0 to 9.0.0

e43c59e

Bump up standard from 14.3.4 to 15.0.1

a37cae4

Bump up standard from 15.0.1 to 16.0.4

dccd7d9

Bump up tap from 14.10 to 15.2.3

d3f9e6c

Bump up urijs from 1.19.2 to 1.19.10

5ebe118

Bump up jsprim from 1.4.1 to 1.4.2

1fe71bf

Dedup string-width

aa7ac63

euanmillar requested a review from rcrichton March 30, 2022 15:25

euanmillar mentioned this pull request Mar 30, 2022

Run yarn audit on Hearth and fix any security issues opencrvs/opencrvs-core#2432

Closed

21 tasks

rikukissa approved these changes May 19, 2022

View reviewed changes

rikukissa mentioned this pull request May 19, 2022

Use the latest version of Hearth opencrvs/opencrvs-core#3124

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security upgrades #203

Security upgrades #203

euanmillar commented Mar 30, 2022

Security upgrades #203

Are you sure you want to change the base?

Security upgrades #203

Conversation

euanmillar commented Mar 30, 2022

Dependencies with Critical vulnerabilities:

Dependencies with High vulnerabilities:

Dependencies with Moderate vulnerabilities:

Node engine limitation