Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

updated dependencies #810

Merged
merged 1 commit into from
May 25, 2023
Merged

updated dependencies #810

merged 1 commit into from
May 25, 2023

Conversation

sadiqkhoja
Copy link
Contributor

Closes #758

> npm audit

# npm audit report

dot-object  <2.1.3
Severity: moderate
Prototype Pollution in dot-object - https://github.com/advisories/GHSA-j9cf-pr2x-5273
fix available via `npm audit fix`
node_modules/dot-object
  vue-i18n-extract  <=0.3.0 || 0.4.9 - 1.0.3
  Depends on vulnerable versions of dot-object
  node_modules/vue-i18n-extract
    vue-cli-plugin-i18n  0.6.0 || 1.0.0 - 2.3.1
    Depends on vulnerable versions of vue-i18n-extract
    node_modules/vue-cli-plugin-i18n

engine.io  5.1.0 - 6.4.1
Severity: moderate
engine.io Uncaught Exception vulnerability - https://github.com/advisories/GHSA-q9mw-68c2-j6m5
fix available via `npm audit fix`
node_modules/engine.io
  socket.io  4.1.0 - 4.6.0-alpha1
  Depends on vulnerable versions of engine.io
  Depends on vulnerable versions of socket.io-parser
  node_modules/socket.io

socket.io-parser  4.0.4 - 4.2.2
Severity: high
Insufficient validation when decoding a Socket.IO packet - https://github.com/advisories/GHSA-cqmj-92xf-r6r9
fix available via `npm audit fix`
node_modules/socket.io-parser

webpack  5.0.0 - 5.75.0
Severity: high
Cross-realm object access in Webpack 5 - https://github.com/advisories/GHSA-hc6q-2mpp-qw7j
fix available via `npm audit fix`
node_modules/webpack

7 vulnerabilities (4 moderate, 3 high)

> npm audit fix
added 8 packages, removed 22 packages, changed 40 packages, and audited 1067 packages in 6s

What has been done to verify that this works as intended?

All tests are passing

Why is this the best possible solution? Were any other approaches considered?

NA

How does this change affect users? Describe intentional changes to behavior and behavior that could have accidentally been affected by code changes. In other words, what are the regression risks?

Reading the output, I think vulnerabilities were only in build tools/dev dependencies, so nothing special needs to be done beside regular regression testing

Does this change require updates to user documentation? If so, please file an issue here and include the link below.

No

Before submitting this PR, please make sure you have:

  • run npm run test and npm run lint and confirmed all checks still pass OR confirm CircleCI build passes
  • verified that any code or assets from external sources are properly credited in comments or that everything is internally sourced

@sadiqkhoja sadiqkhoja marked this pull request as ready for review May 24, 2023 22:29
@sadiqkhoja sadiqkhoja merged commit 0d532a3 into getodk:master May 25, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@matthew-white matthew-white matthew-white approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Update dependencies for v2023.3
2 participants
@sadiqkhoja @matthew-white