Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

EREGCSC-1015 Resolve dependabot alerts #287

Merged
merged 19 commits into from
Dec 17, 2021
Merged

EREGCSC-1015 Resolve dependabot alerts #287

merged 19 commits into from
Dec 17, 2021

Conversation

PhilR8
Copy link
Contributor

@PhilR8 PhilR8 commented Dec 14, 2021

No description provided.

@PhilR8
Copy link
Contributor Author

PhilR8 commented Dec 15, 2021

All npm vulnerabilities in ./e2e, ./serverless, and ./serverless/static-assets have been resolved. See screenshots below. You can also pull down this repository and check for yourself by navigating to the folders listed above and running npm audit.

e2e

serverless

serverless/static-assets

However, once you go into ./regulations/static, things are a bit different. There are a 20+ vulnerabilities, almost all of which are related to storybook.

Here is a GitHub issue where other people are having very similar issues:

storybookjs/storybook#16556

Which then links to an issue with create-react-app (that has a bunch of duplicate issues listed):

facebook/create-react-app#11641

Suffice to say, it's a current and ongoing issue.

However, Dan Abramov (of React/Redux/CreateReactApp renown) has a few things to say about the results of npm audit:

https://overreacted.io/npm-audit-broken-by-design/
facebook/create-react-app#11174

Namely: these are build tool vulnerabilities and are of little consequence.

But isn't this just ignoring the problem?
No.

Create React App is a build tool. In other words, it doesn't produce a running Node application. It runs at the build time during development, and produces static assets.

However, npm audit is designed for Node apps so it flags issues that can occur when you run actual Node code in production. That is categorically not how Create React App works.

The resolution proposed by Dan Abramov is to move all build tool packages into devDependencies and run:

npm audit --production

And that should return zero vulnerabilities.

In our case, this meant migrating storybook to use Webpack5. Once finished, Storybook runs as expected, and running npm audit --production returns zero vulnerabilities. See screenshot below:

regulations/static

@PhilR8 PhilR8 temporarily deployed to dev December 15, 2021 20:49 Inactive
"babel-loader": "^8.2.2",
"eslint": "^8.3.0",
"eslint-config-airbnb-base": "^15.0.0",
"eslint-config-prettier": "^8.3.0",
"eslint-plugin-import": "^2.25.3",
"eslint-plugin-vue": "^8.1.1",
"prettier": "2.2.1"
"prettier": "2.2.1",
"webpack": "^5.65.0"
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

moving Storybook to latest version and migrating to webpack 5

@PhilR8 PhilR8 temporarily deployed to dev December 16, 2021 13:52 Inactive
Copy link
Contributor

@knollfear knollfear left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!. Thanks for doing the research into this.

@PhilR8 PhilR8 merged commit 5317f14 into main Dec 17, 2021
@thwalker6 thwalker6 deleted the EREGCSC-1015-pkg-alerts branch August 17, 2022 13:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants