Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update vulnerable libraries #766

Merged
merged 10 commits into from
Sep 6, 2024
Merged

Update vulnerable libraries #766

merged 10 commits into from
Sep 6, 2024

Conversation

rorymckinley
Copy link
Contributor

@rorymckinley rorymckinley commented Sep 5, 2024
edited by josephjclark
Loading

Short Description

Upgrades a number of vulnerable libraries.

Related issue

#763

fixes https://github.com/OpenFn/kit/security/dependabot/22
fixes https://github.com/OpenFn/kit/security/dependabot/21
fixes https://github.com/OpenFn/kit/security/dependabot/16
fixes https://github.com/OpenFn/kit/security/dependabot/12
fixes https://github.com/OpenFn/kit/security/dependabot/10
fixes https://github.com/OpenFn/kit/security/dependabot/8

Implementation Details

Some vulnerable libraries remain, but they appear to entirely be dependencies of other OpenFN libraries, so will tackle those first.

QA Notes

List any considerations/cases/advice for testing/QA here.

Checklist before requesting a review

  • I have performed a self-review of my code
  • I have added unit tests
  • If this is a change to the Worker, does the API_VERSION need bumping?
  • Changesets have been added (if there are production code changes)

Release branch checklist

Still not sure of the criteria for a release PR :).

If this IS a release branch:

  • Run pnpm changeset version from root to bump versions
  • Run pnpm install
  • Commit the new version numbers
  • Run pnpm changeset tag to generate tags
  • Push tags git push --tags

Tags may need updating if commits come in after the tags are first generated.

rorymckinley
rorymckinley commented Sep 6, 2024
View reviewed changes
.changeset/few-foxes-occur.md
'@openfn/cli': patch
---

Upgrade vulnerable version of ws.
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@josephjclark This is an alarming comment - to serve as a friendly reminder that I bumped ws several minor versions and, as a result, you thought that some additional testing may be prudent.

@josephjclark josephjclark changed the title 763 update decode uri component Update vulnerable libraries Sep 6, 2024
@josephjclark josephjclark changed the base branch from main to release/next September 6, 2024 09:21
@josephjclark josephjclark merged commit 5be5ca0 into release/next Sep 6, 2024
6 checks passed
@josephjclark josephjclark mentioned this pull request Sep 6, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@josephjclark josephjclark Awaiting requested review from josephjclark

Assignees
No one assigned
Labels
None yet
Projects
v2
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@rorymckinley @josephjclark