Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

plasma-infra(audit): Resolve root dependencies(dev) vulnerabilities #824

Merged
merged 7 commits into from
Nov 8, 2023
Merged

plasma-infra(audit): Resolve root dependencies(dev) vulnerabilities #824

merged 7 commits into from
Nov 8, 2023

Conversation

Yakutoc
Copy link
Collaborator

@Yakutoc Yakutoc commented Oct 30, 2023
edited
Loading

Release Notes

Почищен корневой package.json:

  1. Удален storybook
  2. Исправлен ряд critical vulnerabilities
  3. Добавлены зависимости, которые раньше доставлялись транзитивно из-за установки storybook.

What/why Changed

Storybook удален так как является рудиментом от установки/использования библиотеки chromatic.

Screenshot 2023-10-11 at 12 42 31

Resolve transitive dev dependencies

  • @babel/plugin-proposal-class-properties
  • @babel/plugin-transform-react-constant-elements
  • babel-loader
  • url-loader

Note: ранее доставлялись транзитивно из-за установки storybook и его плагинов

Для корректного запуска perf test:

  • react - для запуска perf test
  • react-dom - для запуска perf test

Resolve root dependencies(dev) vulnerabilities:

Before npm audit

Screenshot 2023-11-03 at 10 17 01

After npm audit

Screenshot 2023-11-03 at 11 32 36

Before:: dependabot alerts

before resolve root vul

After:: dependabot alerts

Screenshot 2023-11-08 at 17 23 35

⚡ Component performance testing

Result: 🟢 OK

🐤 Download canary assets:
borderRadius
borderRadius_default_react-native--canary.824.6795562408.ts
borderRadius_plasma_b2c_react-native--canary.824.6795562408.ts
borderRadius_plasma_web_react-native--canary.824.6795562408.ts
borderRadius_sberHealth_react-native--canary.824.6795562408.ts
borderRadius_sbermarket_business_react-native--canary.824.6795562408.ts
borderRadius_sbermarket_metro_react-native--canary.824.6795562408.ts
borderRadius_sbermarket_react-native--canary.824.6795562408.ts
borderRadius_sbermarket_selgros_react-native--canary.824.6795562408.ts
borderRadius_sbermarket_wlbusiness_react-native--canary.824.6795562408.ts
borderRadius_sberonline_react-native--canary.824.6795562408.ts
borderRadius_sberprime_react-native--canary.824.6795562408.ts
borderRadius_stylesSalute_react-native--canary.824.6795562408.ts
shadow
shadow_default_react-native--canary.824.6795562408.ts
shadow_plasma_b2c_react-native--canary.824.6795562408.ts
shadow_plasma_web_react-native--canary.824.6795562408.ts
shadow_sberHealth_react-native--canary.824.6795562408.ts
shadow_sbermarket_business_react-native--canary.824.6795562408.ts
shadow_sbermarket_metro_react-native--canary.824.6795562408.ts
shadow_sbermarket_react-native--canary.824.6795562408.ts
shadow_sbermarket_selgros_react-native--canary.824.6795562408.ts
shadow_sbermarket_wlbusiness_react-native--canary.824.6795562408.ts
shadow_sberonline_react-native--canary.824.6795562408.ts
shadow_sberprime_react-native--canary.824.6795562408.ts
shadow_stylesSalute_react-native--canary.824.6795562408.ts
color
color_default_ios-swift--canary.824.6795562408.swift
color_default_kotlin--canary.824.6795562408.kt
color_default_react-native--canary.824.6795562408.ts
color_default_xml--canary.824.6795562408.xml
color_plasma_b2c_ios-swift--canary.824.6795562408.swift
color_plasma_b2c_kotlin--canary.824.6795562408.kt
color_plasma_b2c_react-native--canary.824.6795562408.ts
color_plasma_b2c_xml--canary.824.6795562408.xml
color_plasma_web_ios-swift--canary.824.6795562408.swift
color_plasma_web_kotlin--canary.824.6795562408.kt
color_plasma_web_react-native--canary.824.6795562408.ts
color_plasma_web_xml--canary.824.6795562408.xml
color_sberHealth_ios-swift--canary.824.6795562408.swift
color_sberHealth_kotlin--canary.824.6795562408.kt
color_sberHealth_react-native--canary.824.6795562408.ts
color_sberHealth_xml--canary.824.6795562408.xml
color_sbermarket_business_ios-swift--canary.824.6795562408.swift
color_sbermarket_business_kotlin--canary.824.6795562408.kt
color_sbermarket_business_react-native--canary.824.6795562408.ts
color_sbermarket_business_xml--canary.824.6795562408.xml
color_sbermarket_ios-swift--canary.824.6795562408.swift
color_sbermarket_kotlin--canary.824.6795562408.kt
color_sbermarket_metro_ios-swift--canary.824.6795562408.swift
color_sbermarket_metro_kotlin--canary.824.6795562408.kt
color_sbermarket_metro_react-native--canary.824.6795562408.ts
color_sbermarket_metro_xml--canary.824.6795562408.xml
color_sbermarket_react-native--canary.824.6795562408.ts
color_sbermarket_selgros_ios-swift--canary.824.6795562408.swift
color_sbermarket_selgros_kotlin--canary.824.6795562408.kt
color_sbermarket_selgros_react-native--canary.824.6795562408.ts
color_sbermarket_selgros_xml--canary.824.6795562408.xml
color_sbermarket_wlbusiness_ios-swift--canary.824.6795562408.swift
color_sbermarket_wlbusiness_kotlin--canary.824.6795562408.kt
color_sbermarket_wlbusiness_react-native--canary.824.6795562408.ts
color_sbermarket_wlbusiness_xml--canary.824.6795562408.xml
color_sbermarket_xml--canary.824.6795562408.xml
color_sberonline_ios-swift--canary.824.6795562408.swift
color_sberonline_kotlin--canary.824.6795562408.kt
color_sberonline_react-native--canary.824.6795562408.ts
color_sberonline_xml--canary.824.6795562408.xml
color_sberprime_ios-swift--canary.824.6795562408.swift
color_sberprime_kotlin--canary.824.6795562408.kt
color_sberprime_react-native--canary.824.6795562408.ts
color_sberprime_xml--canary.824.6795562408.xml
color_stylesSalute_ios-swift--canary.824.6795562408.swift
color_stylesSalute_kotlin--canary.824.6795562408.kt
color_stylesSalute_react-native--canary.824.6795562408.ts
color_stylesSalute_xml--canary.824.6795562408.xml
spacing
spacing_default_react-native--canary.824.6795562408.ts
spacing_plasma_b2c_react-native--canary.824.6795562408.ts
spacing_plasma_web_react-native--canary.824.6795562408.ts
spacing_sberHealth_react-native--canary.824.6795562408.ts
spacing_sbermarket_business_react-native--canary.824.6795562408.ts
spacing_sbermarket_metro_react-native--canary.824.6795562408.ts
spacing_sbermarket_react-native--canary.824.6795562408.ts
spacing_sbermarket_selgros_react-native--canary.824.6795562408.ts
spacing_sbermarket_wlbusiness_react-native--canary.824.6795562408.ts
spacing_sberonline_react-native--canary.824.6795562408.ts
spacing_sberprime_react-native--canary.824.6795562408.ts
spacing_stylesSalute_react-native--canary.824.6795562408.ts
typo
typo_mage_ios-swift--canary.824.6795562408.swift
typo_mage_kotlin--canary.824.6795562408.kt
typo_mage_react-native--canary.824.6795562408.ts
typo_plasma_ios-swift--canary.824.6795562408.swift
typo_plasma_kotlin--canary.824.6795562408.kt
typo_plasma_react-native--canary.824.6795562408.ts
typo_ruler_ios-swift--canary.824.6795562408.swift
typo_ruler_kotlin--canary.824.6795562408.kt
typo_ruler_react-native--canary.824.6795562408.ts
typo_sage_ios-swift--canary.824.6795562408.swift
typo_sage_kotlin--canary.824.6795562408.kt
typo_sage_react-native--canary.824.6795562408.ts
typo_sbermarket_ios-swift--canary.824.6795562408.swift
typo_sbermarket_kotlin--canary.824.6795562408.kt
typo_sbermarket_react-native--canary.824.6795562408.ts
typo_soulmate_ios-swift--canary.824.6795562408.swift
typo_soulmate_kotlin--canary.824.6795562408.kt
typo_soulmate_react-native--canary.824.6795562408.ts

@Yakutoc Yakutoc self-assigned this Oct 30, 2023
@Yakutoc Yakutoc marked this pull request as ready for review October 31, 2023 06:09
@Yakutoc Yakutoc force-pushed the chore-clear-root-package-json branch from 7919715 to 6a07800 Compare November 3, 2023 04:44
@Yakutoc Yakutoc changed the title plasma-infra: Clear root package.json plasma-infra(audit): Resolve root dependencies(dev) vulnerabilities Nov 3, 2023
@Yakutoc Yakutoc force-pushed the chore-clear-root-package-json branch from 6a07800 to 322f621 Compare November 3, 2023 05:07
@Salute-Eva
Copy link
Contributor

Theme Builder app deployed!

http://plasma.sberdevices.ru/pr/plasma-theme-builder-pr-824/

@salute-developers salute-developers deleted a comment from Salute-Eva Nov 3, 2023
@salute-developers salute-developers deleted a comment from Salute-Eva Nov 3, 2023
@salute-developers salute-developers deleted a comment from Salute-Eva Nov 3, 2023
@salute-developers salute-developers deleted a comment from Salute-Eva Nov 3, 2023
@Salute-Eva
Copy link
Contributor

Documentation preview deployed!

website: http://plasma.sberdevices.ru/pr/pr-824/
ui storybook: http://plasma.sberdevices.ru/pr/pr-824/ui-storybook/
temple storybook: http://plasma.sberdevices.ru/pr/pr-824/temple-storybook/

@Yakutoc Yakutoc removed the request for review from kayman233 November 3, 2023 08:14
@Yakutoc
chore(@auto): disabled "update-deps" plugin
d2575ec 
because "update-deps" plugin not working
@Yakutoc
chore(audit): resolve root deps vulnerabilities
d02da36 
ejs template injection vulnerability - GHSA-phwq-j96m-2c2q
Prototype Pollution in immer - GHSA-c36v-fmgq-m8hx
Prototype pollution in Merge-deep - GHSA-r6rj-9ch6-g264

delete unnecessary storybook from root
@Yakutoc
chore: delete unnecessary node-fetch
a2431c4 
used in a disabled plugin
@Yakutoc
chore(audit): resolve "Cross-realm object access in Webpack 5" [Criti…
79b9077 
…cal]

GHSA-hc6q-2mpp-qw7j
@Yakutoc
chore(plasma-docs-ui): add "@types/qs"
ee8daa5 
resolve missing transitive dep
@Yakutoc
chore(plasma-ui): add "@storybook/client-logger"
2b76fb2 
resolve missing transitive dep
@Yakutoc
chore(plasma-temple): add "@storybook/addon-knobs"
871f50b 
resolve missing transitive dep
@Yakutoc Yakutoc force-pushed the chore-clear-root-package-json branch from 322f621 to 871f50b Compare November 8, 2023 08:23
@Salute-Eva
Copy link
Contributor

Theme Builder app deployed!

http://plasma.sberdevices.ru/pr/plasma-theme-builder-pr-824/

@Salute-Eva
Copy link
Contributor

Documentation preview deployed!

website: http://plasma.sberdevices.ru/pr/pr-824/
ui storybook: http://plasma.sberdevices.ru/pr/pr-824/ui-storybook/
temple storybook: http://plasma.sberdevices.ru/pr/pr-824/temple-storybook/

@Yakutoc Yakutoc added the vulnerabilities vulnerabilities alerts label Nov 8, 2023
@Yakutoc Yakutoc added this pull request to the merge queue Nov 8, 2023
Merged via the queue into dev with commit d28c240 Nov 8, 2023
18 checks passed
@Yakutoc Yakutoc deleted the chore-clear-root-package-json branch November 8, 2023 09:15
@Salute-Eva
Copy link
Contributor

🚀 This PR is included in version: @salutejs/[email protected], @salutejs/[email protected], @salutejs/[email protected], @salutejs/[email protected], @salutejs/[email protected], @salutejs/[email protected], @salutejs/[email protected], @salutejs/[email protected], @salutejs/[email protected], @salutejs/[email protected] 🚀

1 similar comment
@Salute-Eva
Copy link
Contributor

🚀 This PR is included in version: @salutejs/[email protected], @salutejs/[email protected], @salutejs/[email protected], @salutejs/[email protected], @salutejs/[email protected], @salutejs/[email protected], @salutejs/[email protected], @salutejs/[email protected], @salutejs/[email protected], @salutejs/[email protected] 🚀

@Salute-Eva
Copy link
Contributor

🚀 This PR is included in version: @salutejs/[email protected], @salutejs/[email protected], @salutejs/[email protected], @salutejs/[email protected], @salutejs/[email protected], @salutejs/[email protected], @salutejs/[email protected], @salutejs/[email protected], @salutejs/[email protected], @salutejs/[email protected] 🚀

4 similar comments
@Salute-Eva
Copy link
Contributor

🚀 This PR is included in version: @salutejs/[email protected], @salutejs/[email protected], @salutejs/[email protected], @salutejs/[email protected], @salutejs/[email protected], @salutejs/[email protected], @salutejs/[email protected], @salutejs/[email protected], @salutejs/[email protected], @salutejs/[email protected] 🚀

@Salute-Eva
Copy link
Contributor

🚀 This PR is included in version: @salutejs/[email protected], @salutejs/[email protected], @salutejs/[email protected], @salutejs/[email protected], @salutejs/[email protected], @salutejs/[email protected], @salutejs/[email protected], @salutejs/[email protected], @salutejs/[email protected], @salutejs/[email protected] 🚀

@Salute-Eva
Copy link
Contributor

🚀 This PR is included in version: @salutejs/[email protected], @salutejs/[email protected], @salutejs/[email protected], @salutejs/[email protected], @salutejs/[email protected], @salutejs/[email protected], @salutejs/[email protected], @salutejs/[email protected], @salutejs/[email protected], @salutejs/[email protected] 🚀

@Salute-Eva
Copy link
Contributor

🚀 This PR is included in version: @salutejs/[email protected], @salutejs/[email protected], @salutejs/[email protected], @salutejs/[email protected], @salutejs/[email protected], @salutejs/[email protected], @salutejs/[email protected], @salutejs/[email protected], @salutejs/[email protected], @salutejs/[email protected] 🚀

This was referenced Nov 8, 2023
Merged
Merged
Merged
Merged
Merged
@Salute-Eva Salute-Eva mentioned this pull request Nov 15, 2023
Merged
13 tasks
@Salute-Eva Salute-Eva mentioned this pull request Jan 18, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@neretin-trike neretin-trike neretin-trike approved these changes

@LamaEats LamaEats LamaEats approved these changes

@Yeti-or Yeti-or Awaiting requested review from Yeti-or Yeti-or is a code owner

Assignees

@Yakutoc Yakutoc

Labels
plasma-infra prerelease vulnerabilities vulnerabilities alerts
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Yakutoc @Salute-Eva @LamaEats @neretin-trike