dependency maintenance

- Bump dependencies shown in `pnpm audit` that have valid patches
- Update SBOM workflow for security updates
- Remove project-specific `resolutions` fields (these had no effect on dependency resolution)

.github/workflows/sbom.yml

@@ -5,11 +5,10 @@ name: SBOM upload
 
 on:
   push:
-    branches: ["main"]
+    branches: ['main']
 
 jobs:
   SBOM-upload:
-
     runs-on: ubuntu-latest
     permissions:
       id-token: write
@@ -28,6 +27,6 @@ jobs:
           name: sbom
           path: _manifest/spdx_2.2
       - name: SBOM upload
-        uses: jhutchings1/spdx-to-dependency-graph[email protected].2
+        uses: advanced-security/spdx-dependency-submission[email protected].1
         with:
-          filePath: "_manifest/spdx_2.2/"
+          filePath: '_manifest/spdx_2.2/'

apps/SageAccountWeb/package.json

@@ -39,8 +39,8 @@
     "@types/react-plotly.js": "^2.6.0",
     "@types/react-router-dom": "^5.1.7",
     "@types/react-tooltip": "^4.2.4",
-    "@vitest/coverage-c8": "^0.31.0",
-    "@vitest/ui": "^0.31.0",
+    "@vitest/coverage-c8": "^0.32.4",
+    "@vitest/ui": "^0.32.4",
     "assert": "^2.0.0",
     "buffer": "^6.0.3",
     "https-browserify": "^1.0.0",
@@ -74,9 +74,9 @@
     "typescript": "5.0.4",
     "url": "^0.11.0",
     "util": "^0.12.4",
-    "vite": "^4.3.4",
+    "vite": "^4.4.0",
     "vite-config": "workspace:*",
-    "vitest": "^0.31.0",
+    "vitest": "^0.32.4",
     "whatwg-fetch": "^3.6.2"
   },
   "scripts": {
@@ -103,14 +103,6 @@
       "last 1 safari version"
     ]
   },
-  "resolutions": {
-    "js-yaml": "3.13.1",
-    "react": "18.2.0",
-    "react-hot-toast": "2.2.0",
-    "@types/react": "18.0.17",
-    "@types/react-dom": "18.0.6",
-    "minimatch": "^3.1.2"
-  },
   "lint-staged": {
     "*.{js,jsx,ts,tsx,json,yml,scss,css,md}": "prettier --config .prettierrc --write"
   }

apps/portals/package.json

@@ -46,16 +46,16 @@
     "@testing-library/react": "^13.3.0",
     "@testing-library/user-event": "^14.4.3",
     "@types/katex": "^0.5.0",
-    "@types/lodash": "^4.14.191",
+    "@types/lodash": "^4.14.195",
     "@types/node": "^18.16.12",
     "@types/plotly.js": "^2.12.18",
     "@types/react": "^18.0.17",
     "@types/react-dom": "^18.0.6",
     "@types/react-plotly.js": "^2.6.0",
     "@types/react-router-dom": "^5.3.3",
-    "@vitest/coverage-c8": "^0.31.0",
-    "@vitest/ui": "^0.31.0",
-    "@vitest/utils": "^0.31.1",
+    "@vitest/coverage-c8": "^0.32.4",
+    "@vitest/ui": "^0.32.4",
+    "@vitest/utils": "^0.32.4",
     "assert": "^2.0.0",
     "buffer": "^6.0.3",
     "https-browserify": "^1.0.0",
@@ -88,9 +88,9 @@
     "typescript": "5.0.4",
     "url": "^0.11.0",
     "util": "^0.12.4",
-    "vite": "^4.3.4",
+    "vite": "^4.4.0",
     "vite-config": "workspace:*",
-    "vitest": "^0.31.0",
+    "vitest": "^0.32.4",
     "whatwg-fetch": "^3.6.2"
   },
   "browserslist": {
@@ -108,13 +108,5 @@
       "last 1 firefox version",
       "last 1 safari version"
     ]
-  },
-  "resolutions": {
-    "goober": "2.1.9",
-    "js-yaml": "3.13.1",
-    "react": "18.2.0",
-    "react-hot-toast": "2.2.0",
-    "@types/react": "^18.0.17",
-    "minimatch": "^3.1.2"
   }
 }

apps/synapse-oauth-signin/package.json

@@ -38,13 +38,13 @@
     "@types/react-plotly.js": "^2.6.0",
     "@types/react-router-dom": "^5.3.3",
     "@types/react-tooltip": "^4.2.4",
-    "@vitest/coverage-c8": "^0.31.0",
-    "@vitest/ui": "^0.31.0",
+    "@vitest/coverage-c8": "^0.32.4",
+    "@vitest/ui": "^0.32.4",
     "assert": "^2.0.0",
     "buffer": "^6.0.3",
     "https-browserify": "^1.0.0",
     "identity-obj-proxy": "^3.0.0",
-    "isomorphic-fetch": "^2.2.1",
+    "isomorphic-fetch": "^3.0.0",
     "jsdom": "^21.1.1",
     "katex": "^0.10.0-rc.1",
     "lint-staged": "^13.1.2",
@@ -77,9 +77,9 @@
     "typescript": "5.0.4",
     "url": "^0.11.0",
     "util": "^0.12.4",
-    "vite": "^4.3.4",
+    "vite": "^4.4.0",
     "vite-config": "workspace:*",
-    "vitest": "^0.31.0"
+    "vitest": "^0.32.4"
   },
   "scripts": {
     "clean": "rimraf build coverage",
@@ -106,12 +106,6 @@
       "last 1 safari version"
     ]
   },
-  "resolutions": {
-    "js-yaml": "3.13.1",
-    "@types/react": "18.0.17",
-    "@types/react-dom": "18.0.6",
-    "minimatch": "^3.1.2"
-  },
   "lint-staged": {
     "*.{js,jsx,ts,tsx,json,yml,scss,css,md}": "prettier --config .prettierrc --write"
   }

package.json

@@ -15,15 +15,15 @@
     "type-check": "nx run-many --target=type-check"
   },
   "devDependencies": {
-    "@typescript-eslint/eslint-plugin": "^5.59.2",
-    "@typescript-eslint/parser": "^5.59.2",
-    "eslint": "^8.39.0",
-    "eslint-plugin-jest": "^27.2.1",
-    "eslint-plugin-jest-dom": "^4.0.3",
+    "@typescript-eslint/eslint-plugin": "^5.61.0",
+    "@typescript-eslint/parser": "^5.61.0",
+    "eslint": "^8.44.0",
+    "eslint-plugin-jest": "^27.2.2",
+    "eslint-plugin-jest-dom": "^5.0.1",
     "eslint-plugin-react": "^7.32.2",
     "eslint-plugin-react-hooks": "^4.6.0",
     "eslint-plugin-storybook": "^0.6.12",
-    "eslint-plugin-testing-library": "^5.10.3",
+    "eslint-plugin-testing-library": "^5.11.0",
     "husky": "^8.0.3",
     "lint-staged": "^13.2.2",
     "nx": "^16.0.3",

packages/markdown-it-synapse/package.json

@@ -36,7 +36,7 @@
     "@types/node": "^18.16.12",
     "jest": "^29.4.3",
     "markdown-it": "^13.0.1",
-    "markdown-it-testgen": "~0.1.0",
+    "markdown-it-testgen": "~0.1.6",
     "tsup": "^6.7.0",
     "typescript": "5.0.4"
   },

packages/synapse-react-client/package.json

@@ -57,12 +57,11 @@
     "dagre": "^0.8.5",
     "dayjs": "^1.11.6",
     "downshift": "^6.1.2",
-    "gh-pages": "^3.2.3",
     "history": "^5.3.0",
     "immutable": "4.1.0",
     "json-rules-engine": "^4.0.0",
     "katex": "0.11.1",
-    "lodash-es": ">=4.17.14",
+    "lodash-es": "^4.17.21",
     "markdown-it": "^12.3.2",
     "markdown-it-br": "^1.0.0",
     "markdown-it-center-text": "^1.0.4",
@@ -90,7 +89,6 @@
     "react-mailchimp-subscribe": "^2.1.0",
     "react-measure": "^2.1.2",
     "react-plotly.js": "^2.6.0",
-    "react-plotlyjs-ts": "^2.2.2",
     "react-popper": "^2.2.5",
     "react-query": "3.39.1",
     "react-reflex": "^4.0.0",
@@ -163,7 +161,7 @@
     "@types/jquery": "^3.5.14",
     "@types/json-schema": "^7.0.11",
     "@types/katex": "^0.10.2",
-    "@types/lodash-es": "4.17.3",
+    "@types/lodash-es": "4.17.7",
     "@types/markdown-it": "^12.0.1",
     "@types/node": "^18.16.12",
     "@types/plotly.js": "^2.12.18",
@@ -228,7 +226,7 @@
     "type-fest": "^3.7.2",
     "typescript": "5.0.4",
     "util": "^0.12.4",
-    "vite": "^4.3.4",
+    "vite": "^4.4.0",
     "vite-plugin-svgr": "^2.4.0",
     "weak-napi": "^2.0.2",
     "whatwg-fetch": "^3.6.2"
@@ -266,13 +264,6 @@
       }
     }
   },
-  "resolutions": {
-    "js-yaml": "3.13.1",
-    "@types/react": "18.0.17",
-    "@types/webpack": "^5.28.0",
-    "trim": "^0.0.3",
-    "terser": "5.14.2"
-  },
   "browser": {
     "timers": "timers-browserify"
   },

packages/vite-config/package.json

@@ -13,11 +13,11 @@
     "./dist/vitest-config.js"
   ],
   "peerDependencies": {
-    "vite": "^4.3.4",
-    "vitest": "^0.31.0",
-    "@vitest/coverage-c8": "^0.31.0",
-    "@vitest/ui": "^0.31.0",
-    "@vitest/utils": "^0.31.0"
+    "vite": "^4.4.0",
+    "vitest": "^0.32.4",
+    "@vitest/coverage-c8": "^0.32.4",
+    "@vitest/ui": "^0.32.4",
+    "@vitest/utils": "^0.32.4"
   },
   "peerDependenciesMeta": {
     "vitest": {
@@ -40,8 +40,8 @@
     "rollup-plugin-polyfill-node": "^0.10.2",
     "svgo": "^3.0.2",
     "typescript": "5.0.4",
-    "vite": "^4.3.4",
+    "vite": "^4.4.0",
     "vite-plugin-svgr": "^2.4.0",
-    "vitest": "^0.31.0"
+    "vitest": "^0.32.4"
   }
 }

packages/vite-config/src/vite-config.ts

@@ -1,19 +1,19 @@
-import react from "@vitejs/plugin-react";
-import { resolve, dirname } from "path";
-import { defineConfig } from "vite";
-import svgr from "vite-plugin-svgr";
-import { NodeGlobalsPolyfillPlugin } from "@esbuild-plugins/node-globals-polyfill";
-import { NodeModulesPolyfillPlugin } from "@esbuild-plugins/node-modules-polyfill";
-import rollupNodePolyFill from "rollup-plugin-polyfill-node";
-import { fileURLToPath } from "url";
+import react from '@vitejs/plugin-react'
+import { resolve, dirname } from 'path'
+import { defineConfig } from 'vite'
+import svgr from 'vite-plugin-svgr'
+import { NodeGlobalsPolyfillPlugin } from '@esbuild-plugins/node-globals-polyfill'
+import { NodeModulesPolyfillPlugin } from '@esbuild-plugins/node-modules-polyfill'
+import rollupNodePolyFill from 'rollup-plugin-polyfill-node'
+import { fileURLToPath } from 'url'
 
-const __filename = fileURLToPath(import.meta.url);
-const __dirname = dirname(__filename);
+const __filename = fileURLToPath(import.meta.url)
+const __dirname = dirname(__filename)
 
 export default defineConfig({
   server: { port: 3000 },
   build: {
-    outDir: "./build",
+    outDir: './build',
     commonjsOptions: {
       transformMixedEsModules: true,
     },
@@ -37,11 +37,11 @@ export default defineConfig({
   optimizeDeps: {
     // In the dev server, Vite doesn't automatically optimize plotly.js-basic-dist when it should. This causes a broken import
     // This is probably because plotly.js-basic-dist is a UMD module, and we load the entire object returned by the UMD module into react-plotly.js.
-    include: ["plotly.js-basic-dist"],
+    include: ['plotly.js-basic-dist'],
     esbuildOptions: {
       // Node.js global to browser globalThis
       define: {
-        global: "globalThis",
+        global: 'globalThis',
       },
       plugins: [
         NodeGlobalsPolyfillPlugin({
@@ -54,16 +54,16 @@ export default defineConfig({
   },
   resolve: {
     alias: {
-      src: resolve(__dirname, "/src"),
-      process: "process/browser",
-      path: "path-browserify",
-      timers: "timers-browserify",
-      fs: "memfs",
-      https: "https-browserify",
-      stream: "stream-browserify",
-      http: "stream-http",
-      buffer: "buffer/",
-      util: "util",
+      src: resolve(__dirname, '/src'),
+      process: 'process/browser',
+      path: 'path-browserify',
+      timers: 'timers-browserify',
+      fs: 'memfs',
+      https: 'https-browserify',
+      stream: 'stream-browserify',
+      http: 'stream-http',
+      buffer: 'buffer/',
+      util: 'util',
     },
   },
-});
+})

packages/vite-config/src/vitest-config.ts

@@ -1,22 +1,22 @@
-import { defineConfig, mergeConfig } from "vitest/config";
-import viteConfig from "./vite-config.js";
-
+import { defineConfig, mergeConfig } from 'vitest/config'
+import viteConfig from './vite-config.js'
+import type { UserConfig } from 'vite'
 export default mergeConfig(
-  viteConfig,
+  viteConfig as UserConfig,
   defineConfig({
     optimizeDeps: {
-      exclude: ["vitest/utils"],
-      include: ["@vitest/utils", "vitest/browser"],
+      exclude: ['vitest/utils'],
+      include: ['@vitest/utils', 'vitest/browser'],
     },
     test: {
-      environment: "jsdom",
-      reporters: ["default", "html"],
-      outputFile: { html: "./coverage/report/index.html" },
+      environment: 'jsdom',
+      reporters: ['default', 'html'],
+      outputFile: { html: './coverage/report/index.html' },
       coverage: {
-        provider: "c8",
-        reporter: ["text-summary", "html-spa"],
-        reportsDirectory: "./coverage/cov",
+        provider: 'c8',
+        reporter: ['text-summary', 'html-spa'],
+        reportsDirectory: './coverage/cov',
       },
     },
-  })
-);
+  }) as UserConfig,
+)