Update vulnerable packages #288
Conversation
|
Ugh typescript is throwing a huge number of errors locally (things like Interface 'ElementClass' cannot simultaneously extend types 'Component<any, {}, any>' and 'Component<any, {}, any>'). I'm going to have to redo a large portion of this .-. |
|
Where is it erroring? I'm running your branch locally without erroring. |
|
With node v14.18.3 (yarn 1.22.18) via nvm, the command |
|
I don't think those errors are related to your changes. Seems to be a conflict error with yarn and @types/react and @types/react-dom from what I saw, and it doesn't break the app. If you switch to |
|
...thanks for those tips! With the type annotations the same, (and a slightly newer version of node types), I can actually get tsc-silent to pass! I'll see what's going with the animations and other issues. Thanks for being so helpful |
- Make react/react-dom/test-renderer use the same major version - Upgrade @types/node to 14.18.0. This was necessary mainly for typing. Update the test versions as well - Strip out react-animate-css, just use basic css animation fadeIn/fadeOut - Made linter happy now
|
Ugh I was hoping that getting it to build (and have no typechecking errors) on Linux would let MacOS pass, but apparently not .-. |
- typescript has been held to v < 4.6 to make @types/verror (dmg license < dmg builder < electron builder) - remove extract-text-webpack-plugin: unused? - in Login.tsx, make defaultChecked for legacyAuth actually a boolean
|
...there we go. It took locking typescript at < 4.6 to make @types/verror happy, but macos should be happy. Additionally, no more vulnerabilities! |
|
Thanks for your work on this PR, looks good to me. Though I'm wondering why the linting changed even though no changes were made to the .prettierrc |
|
I would blame at least a few of those changes to prettier being upgraded from 2.0.5 to 2.6.2. Either way, thanks for taking time to review this! |
|
I just realized that the renderer is no longer hot reloading changes when running in dev mode: |
|
The weird thing is that, hot reload appears to work for me? If I change a typescript file, it will update (although the entire app refreshes). I did notice a warning in the console that said react-refresh failed, which probably has to do with webpack 4. new ReactRefreshWebpackPlugin({
overlay: {
sockHost: "localhost"
}
}), |
|
I'm seeing the webpack logs that the app is being recompiled when changes are made, but the changes don't seem to be reflecting on the app until I do a hard refresh (ctrl + R). Unfortunately adding the extra config doesn't change anything for me. I also don't see any warning that react-refresh failed, so not sure what's going on. I use Windows 10, so not sure if your testing environment is different from mine. Edit: Quite possible this is the issue? Seeing these errors in my console since the changes. |
|
Ah, I haven't used WIndows to build. I'll test it on there and report what I can find. Weirdly enough, I can confirm that on Linux and MacOS, it does spawn a websocket on localhost:4343 |
The goal of this PR is to resolve as many of the package vulnerabilities as possible. As of writing, there is still a vulnerable packages, ajv, but that can't be upgraded easily (attempting to force a resolution makes
yarn startfail). Sorry for just filing a PRSpecifically, the changes that were necessary:
node-sass(deprecated) withsassi18next-parserto v6react-animated-css(no updates for two years, led to vulnerable packages) withreact-transition-group. To support similar animation, there were a few changes to App.global.css (adapted from http://reactcommunity.org/react-transition-group/css-transition)glob-parent>= 5.1.2