Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps/security): upgrade to latest stable #4458

Merged
merged 1 commit into from
Oct 9, 2020
Merged

chore(deps/security): upgrade to latest stable #4458

merged 1 commit into from
Oct 9, 2020

Conversation

AviVahl
Copy link
Contributor

@AviVahl AviVahl commented Oct 2, 2020

Description of the Change

  • Upgrade dependencies to latest stable versions.
  • Replace rollup-plugin-node-builtins with rollup-plugin-node-polyfills, as former causes audit failures and latter seems just a bit* more maintained.

Alternate Designs

Consider using dependabot or renovate to automatically open PRs for updates.

Why should this be in core?

To resolve consumer deprecation messages when installing mocha:
warning mocha > yargs-unparser > [email protected]: Fixed a prototype pollution security issue in 4.1.0, please upgrade to ^4.1.1 or ^5.0.1.

To reduce the number of repo audit failures from:
found 51 vulnerabilities (5 low, 2 moderate, 44 high) in 2841 scanned packages
to:
found 3 low severity vulnerabilities in 2629 scanned packages

Benefits

Better deduping for the other packages.

Possible Drawbacks

None that I'm aware.

Applicable issues

closes #4410

@AviVahl

This comment has been minimized.

@coveralls
Copy link

coveralls commented Oct 2, 2020

Coverage Status

Coverage remained the same at 94.075% when pulling 96c5e87 on AviVahl:upgrade-dependencies into b216fcd on mochajs:master.

Copy link
Contributor

@outsideris outsideris left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure about the netlify/mocha/deploy-preview check. Tells me:

Netlify failed caused by an opencollective issue.

@outsideris outsideris added type: chore generally involving deps, tooling, configuration, etc. area: security involving vulnerabilities labels Oct 2, 2020
@outsideris
Copy link
Contributor

OpenCollective had internal server errors for some avatar images. It seems OC fixed the issue.
So, I re-ran netlify build.

@deleonio
Copy link
Contributor

deleonio commented Oct 3, 2020

Thanks for this fast PR!!!

Note: There is a breaking change inside! https://github.com/yargs/yargs-unparser/releases/tag/v2.0.0

We need the mocha fix for our https://www.npmjs.com/package/@leanup/cli#dependencies.

@AviVahl
Copy link
Contributor Author

AviVahl commented Oct 3, 2020

It's not breaking, as mocha already dropped these node versions.

@boneskull
Copy link
Contributor

need to run this against all browsers...sigh.

@boneskull
Copy link
Contributor

build here

@AviVahl
Copy link
Contributor Author

AviVahl commented Oct 6, 2020

@boneskull correct me if I'm wrong, but the failures I'm seeing don't seem to relate to the upgrades. does master pass (for that "all browsers" test)?

@AviVahl
Copy link
Contributor Author

AviVahl commented Oct 8, 2020

rebased to current master. squashed into a single commit. regenerated lock file. (lock file diff has a nice de-duping effect)

@AviVahl

This comment has been minimized.

@AviVahl
Copy link
Contributor Author

AviVahl commented Oct 8, 2020

Pushed another commit which reduces the audit failures to:
found 3 low severity vulnerabilities in 2629 scanned packages

@AviVahl
Copy link
Contributor Author

AviVahl commented Oct 8, 2020

this does not include [email protected], as #4465 handles that.

@AviVahl AviVahl changed the title chore(deps): upgrade to latest stable chore(deps/security): upgrade to latest stable Oct 8, 2020
@boneskull
Copy link
Contributor

this now has conflicts

@boneskull
Copy link
Contributor

I think you just need to rebase to get the workerpool update

@AviVahl
Copy link
Contributor Author

AviVahl commented Oct 9, 2020

will rebase

@AviVahl
Copy link
Contributor Author

AviVahl commented Oct 9, 2020

@boneskull any idea if the flakiness related to the workerpool/parallel test changes?

@boneskull
Copy link
Contributor

yeah failure is related to that, but unsure what's wrong. haven't had it fail before! could be something in the lockfile or the github actions cache... or just windows flake or windows flake on a specific node version (again, which hasn't surfaced).

we need to be certain the failure is unrelated though. I can't view the diff of the lockfile on my phone, maybe you can diff the workerpool subtree with what's in master and assert it's identical. if so, then it's likely unrelated to the changes here

@boneskull
Copy link
Contributor

subtree meaning in the lockfile not on disk

@AviVahl
Copy link
Contributor Author

AviVahl commented Oct 9, 2020

I checked the lockfile. both master and the branch have the same version of workerpool (6.0.2). nothing special there.

- replace `rollup-plugin-node-builtins` with  `rollup-plugin-node-polyfills`, as former causes audit failures and latter seems just a bit* more maintained.
- regenerate lock file
@AviVahl
Copy link
Contributor Author

AviVahl commented Oct 9, 2020

rebased to master again, to see if failure is consistent.

@AviVahl
Copy link
Contributor Author

AviVahl commented Oct 9, 2020

Failure did not occur post rebase.

@boneskull
Copy link
Contributor

I hope this is not the start of consistent flake. anyway, ty

@boneskull boneskull merged commit 2852505 into mochajs:master Oct 9, 2020
@boneskull boneskull added this to the next milestone Oct 9, 2020
@boneskull boneskull added the semver-patch implementation requires increase of "patch" version number; "bug fixes" label Oct 9, 2020
@AviVahl AviVahl deleted the upgrade-dependencies branch October 9, 2020 21:32
@boneskull boneskull modified the milestones: next, v8.2.0 Oct 16, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area: security involving vulnerabilities semver-patch implementation requires increase of "patch" version number; "bug fixes" type: chore generally involving deps, tooling, configuration, etc.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Flat 4.1.0 is deprecated causing an npm warn
5 participants