dependency maintenance #354
Conversation
| @@ -28,6 +27,6 @@ jobs: | |||
| name: sbom | |||
| path: _manifest/spdx_2.2 | |||
| - name: SBOM upload | |||
| uses: jhutchings1/[email protected] | |||
There was a problem hiding this comment.
original repo was archived and points to this new action
| "resolutions": { | ||
| "js-yaml": "3.13.1", | ||
| "react": "18.2.0", | ||
| "react-hot-toast": "2.2.0", | ||
| "@types/react": "18.0.17", | ||
| "@types/react-dom": "18.0.6", | ||
| "minimatch": "^3.1.2" | ||
| }, |
There was a problem hiding this comment.
According to the output of pnpm install, these resolution entries are ignored. Only the base package.json resolutions are used.
There was a problem hiding this comment.
See docs for overrides: https://pnpm.io/package_json#pnpmoverrides - this is the same feature, just a different property name.
- Bump dependencies shown in `pnpm audit` that have valid patches - Update SBOM workflow for security updates - Remove project-specific `resolutions` fields (these had no effect on dependency resolution)
- bump TypeScript to 5.1.6
| @@ -46,6 +46,7 @@ type StandaloneQueryWrapperOwnProps = { | |||
| | 'columnAliases' | |||
| | 'noContentPlaceholderType' | |||
| | 'showLastUpdatedOn' | |||
| | 'visibleColumnCount' | |||
There was a problem hiding this comment.
This was missing in the prop signature, but the prop was still passed down, so this is a type-only change.
| @@ -158,6 +158,7 @@ export function useCreateLockAccessRequirement( | |||
| if (options?.onSuccess) { | |||
| return options.onSuccess(data, variables, ctx) | |||
| } | |||
| return | |||
There was a problem hiding this comment.
These functions must have a return statement. If I had to guess, it probably has something to do with this TypeScript change and some (outdated) react-query types.
| @@ -6,7 +6,7 @@ import defaultMuiThemeOptions from './DefaultTheme' | |||
| import type { PartialDeep } from 'type-fest' | |||
|
|
|||
| export function mergeTheme( | |||
| themeOverrides: PartialDeep<ThemeOptions>, | |||
| themeOverrides: ThemeOptions | PartialDeep<ThemeOptions>, | |||
There was a problem hiding this comment.
MUI/Emotion update required this change. Some change in their types makes ThemeOptions not satisfy PartialDeep<ThemeOptions>. May be a bug in type-fest, which provides the PartialDeep utility type.
|
|
||
| export default defineConfig({ | ||
| export const config: UserConfig = { |
There was a problem hiding this comment.
Some changes in types required separating the config object from the config definition.
| "react-easy-crop": "^4.2.0", | ||
| "react-query": "3.39.1", | ||
| "react-router-dom": "5.3.3", | ||
| "react-spinners": "^0.11.0", |
There was a problem hiding this comment.
Dropped react-spinners as it is unused in this project.
| @@ -1,4 +1,4 @@ | |||
| import { renderHook } from '@testing-library/react-hooks' | |||
| import { renderHook } from '@testing-library/react' | |||
There was a problem hiding this comment.
Functionality in @testing-library/react-hooks has been ported to @testing-library/react, so we dropped @testing-library/react-hooks
| @@ -36,14 +36,13 @@ describe('usePreFetchResource tests', () => { | |||
| ), | |||
| ) | |||
|
|
|||
| const { result, waitForNextUpdate } = renderHook(() => | |||
There was a problem hiding this comment.
waitForNextUpdate is not in @testing-library/react, but that's ok, we can just use waitFor
There was a problem hiding this comment.
Dropped an <?xml > tag that was not parseable by upgraded esbuild
nickgros
added
the
chromatic
| const SynapseClient = require('../../../../src/synapse-client/SynapseClient') | ||
| SynapseClient.getEntityBundleV2 = jest.fn().mockResolvedValue(expected) |
There was a problem hiding this comment.
Replaced dynamic require import with jest.spyOn
|
|
||
| const queryClient = new QueryClient() | ||
|
|
||
| const wrapper = (props: { children: React.ReactChildren }) => ( |
There was a problem hiding this comment.
Replace with existing utility
| }) | ||
|
|
||
| await waitFor(() => result.current.isSuccess) |
There was a problem hiding this comment.
The returned waitFor must have allowed returning a boolean. The imported waitFor check doesn't work unless an error is thrown, such as if an expect fails.
There was a problem hiding this comment.
No meaningful config changes, just updated to work with new types
There was a problem hiding this comment.
Config itself unchanged, just reformatted and structure changed to work with type changes
There was a problem hiding this comment.
This workflow pushes a dependency list from our lockfile to a Microsoft tool that generates and reports security vulnerabilities. It's our workaround to get vulnerability alerts until GitHub supports Dependabot security updates for pnpm.
| "vite": "^4.3.4", | ||
| "tslib": "^2.6.0", | ||
| "type-fest": "^3.13.0", | ||
| "typescript": "5.1.6", |
There was a problem hiding this comment.
Upgraded TS everywhere
| @@ -56,27 +55,27 @@ | |||
| "markdown-it-strikethrough-alt": "^1.0.0", | |||
| "markdown-it-sub-alt": "^1.0.0", | |||
| "markdown-it-sup-alt": "^1.0.2", | |||
| "markdown-it-synapse": "^1.1.7", | |||
| "markdown-it-synapse": "workspace:^", | |||
There was a problem hiding this comment.
Using workspace markdown-it-synapse for devDependencies, but I think all of the apps are pulling an old version from CDN. Since the bundling strategy changed, that should be tackled separately
| "react-cookie": "4.0.0", | ||
| "react-dom": "^18.2.0", | ||
| "react-query": "3.39.1", | ||
| "react-router-dom": "5.3.3", | ||
| "react-spinners": "^0.11.0", |
There was a problem hiding this comment.
react-spinners also unused here
| "memfs": "^3.4.7", | ||
| "msw": "^0.49.3", | ||
| "memfs": "^3.5.3", | ||
| "msw": "^1.2.2", |
There was a problem hiding this comment.
Bump to match other packages
There was a problem hiding this comment.
renamed from .tsx, bad diff
Ran
pnpm update --recursiveand followed up with a few manual version changes to achieve the followingresolutionsfields (these had no effect on dependency resolution)Additionally, update our SBOM upload workflow to continue getting vulnerability alerts (still needed while we wait on dependabot/dependabot-core#7434).