Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Updating MEME 2018 for New Grant Work #1

Open
dsriseah opened this issue May 21, 2024 · 1 comment
Open

Updating MEME 2018 for New Grant Work #1

dsriseah opened this issue May 21, 2024 · 1 comment

Comments

@dsriseah
Copy link

dsriseah commented May 21, 2024

New fork of original MEME (2018) created. New Wiki, Issues, Projects, and Pull Requests for changes moving forward go in this repo. However, we can refer to stuff in the old WIKI as needed.

Running list of Issues

  • package updates for 2024 standards
  • merge old branches and purge them
  • material ui removal, but with what
@dsriseah
Copy link
Author

dsriseah commented Jun 5, 2024

Raw nodes on package updates from @Sakelun posted to Slack on May 21. This is the basis for the work in PR #9 Core Platform Update for Node v18


Packages Updated (Back-end)

  • adm-zip: Minor update (v0.4.14 to v0.5.10)
    Not updated

  • ajv: Major update (v6.10.2 to v8.12.0)
    Not updated

  • cookie-parser: Patch update (v1.4.4 to v1.4.6)
    Rationale: Dependency updates
    Changelog: https://github.com/expressjs/cookie-parser/blob/master/HISTORY.md

  • debounce: Major update (v1.2.0 to v2.0.0)
    Not updated

    Adds requirement: Node v18
    Updates some devDependencies for testing
    (Does not need to be updated)

  • ejs: Major update (v2.7.1 to v3.1.9)
    Rationale: npm audit vulnerability (critical) / ejs template injection vulnerability GHSA-phwq-j96m-2c2q

    Notes: changelogs apparently stop being a thing after 2.7.4 ? Was able to dig up a CHANGELOG file that provided notes for v3.0.1 which has since been removed

    v3.0.1
    Removed require.extensions (@mde)
    Removed legacy preprocessor include (@mde)
    Removed support for EOL Nodes 4 and 6 (@mde)

  • express: Minor update (v4.17.1 to v4.18.2)
    Rationale: Required for Node v18 support
    Changelog: https://expressjs.com/en/changelog/4x.html

    Relevant changes

    v4.17.2
    - Bug fixes
    - Supports Node 14.x
    v4.167.3
    - Bug fixes
    v4.18.0
    - Supports Node 18.x
    - N/A (method not used): Cookie expirations don't accept invalid dates
    - N/A (method not used): Cookie supports null/undefined as maxAge
    - N/A (status code not used): Proper support for HTTP 205 responses
    - N/A (method not used): Use http-errors for res.format()
    v4.18.1 ... v4.18.3
    - Bug fixes

  • fs-extra: Major update (v8.1.0 to v11.2.0)
    Not updated
    Changelog: https://github.com/jprichardson/node-fs-extra/blob/master/CHANGELOG.md

    Few possible breaking changes, but fundamentally doesn't need to be updated.

  • hashids: Major update (v1.2.2 to v2.3.0)
    Rationale: Required to avoid an invalid state loop that occurs in SystemShell.jsx
    Changelog: https://github.com/niieani/hashids.js/blob/master/CHANGELOG.md

    Major changes; rewritten in Typescript
    Breaking changes:
    - when used from Node (without ESM enabled), you now need to require('hashids/cjs')
    - Hashids now throws errors when being constructed with incorrect options (previously, it silently falled back to defaults)

  • ip: Major update (v1.1.5 to v2.0.1 v1.1.9)
    Rationale: Node v18 support added in v1.1.6+; CVEs "fixed" in v1.1.9+ or 2.0.1+
    Changelog: None provided; inferred from commit history

    Active CVEs on this project and seems unmaintained: Security Advisory: NPM ip package still incorrectly identifies some private IP addresses as public indutny/node-ip#150

  • lokijs: Patch update (v1.5.7 to v1.5.12)
    Not updated
    Changelog: None maintained beyond 1.5.7

  • multer: Patch update (v1.4.2 to v1.4.5-lts.1)
    Rationale: Resolves DoS vulnerability and 1.4.2 is deprecated (CVE-2022-24434: DoS affecting dicer (sub-dependency) expressjs/multer#1254)
    Changelog: None maintained beyond 1.4.2

    Of consequence, this issue casts doubt on the level of Node support provided by moving to the 2.x series. The 1.4.5-lts.1 version does not refer to fs-temp as noted in the issue.

  • stacktrace-js: Patch update (v2.0.1 to v2.0.2)
    Rationale: Contains vulnerability fixes
    Changelogs:
    https://github.com/stacktracejs/stacktrace.js/blob/master/CHANGELOG.md (not maintained beyond 2.0.0)
    https://github.com/stacktracejs/stacktrace.js/releases/tag/v2.0.2

    Dependency update (to address a vulnerability in [email protected]) and sourcemap fix

  • superagent: Major update (v5.1.0 to v8.1.2 v8.0.9)
    Rationale: Deprecated, authors indicate v7.1.5 or v8.0.0+ be used instead. v8.0.3 first mention of Node v18 support
    Changelog: https://github.com/ladjs/superagent/releases

    v5.x to v6.x:
    - N/A (Not opting into retry): Retry behavior is still opt-in, however we now have a more fine-grained list of status codes and error codes that we retry against (see updated docs)
    v6.x to v7.0:
    - Browser behaviour changed to match Node when serializing application/x-www-form-urlencoded, using arrayFormat: 'indices' semantics of qs library. (See: https://www.npmjs.com/package/qs#stringifying)
    v7.0 to v8.0:
    - N/A (Not used): ActiveXObject gone

  • tracer: Major update (v0.9.9 to v1.3.0)
    Rationale: Several security fixes contained within update path; only package updates otherwise
    Changelog: https://github.com/baryon/tracer?tab=readme-ov-file#history

  • uuid: Major update (v3.3.3 to v9.0.1)
    Not updated
    Changelog: https://github.com/uuidjs/uuid/blob/main/CHANGELOG.md

    Significant Changes

    v7.0.0:
    - N/A (not using default method): Default method removed
    - ESM/CJS split build introduced
    - Insecure RNG not allowed in browsers
    v8.0.0:
    - N/A (not using ESM): ESM only supports named exports

  • ws: Major update (v7.1.2 to v8.16.0 v7.5.9)
    Rationale: NodeJS compatibility, important backports
    Changelog: https://github.com/websockets/ws/releases

    Significant Changes

    v7.2.5: Fix compatibility with NodeJS:master
    v7.4.0: Provides access to HTTP GET request during socket 'connection' event; used in NetCreate-Auth/Access-Lite to propagate JWT user information between Express+WSS events
    v7.4.6: Regex DoS vulnerability fix
    v7.5.x: Backports (last on July 15th 2022)

Packages Updated (Web-pack Stack)

  • copy-webpack-plugin: (v4.5.4 to v12.0.2)
  • html-webpack-plugin: (v3.2.0 to v5.6.0)
  • mini-css-extract-plugin: Major update (v0.4.3 to v2.8.0)
  • optimize-css-assets-webpack-plugin: Removed
  • uglifyjs-webpack-plugin: Removed
  • webpack: (v4.41.0 to v5.90.3)
  • webpack-cli: (v3.3.9 to v5.1.4)
  • webpack-dev-middleware: (v3.7.2 to v7.0.0)
  • webpack-dev-server: (v3.8.1 to v5.0.2)
  • webpack-hot-middleware: (v2.25.0 to v2.26.1)

Packages Updated (Front-end)

  • @dagrejs/graphlib
  • MUI (v4 to v5)
  • bootstrap
  • classnames
  • clsx
  • color
  • cropperjs
  • electron
  • jquery
  • prop-types
  • react, react-dom
  • react-draggable
  • react-router
  • react-router-config
  • react-router-dom
  • react-router-proptypes
  • reactstrap
  • rfdc (Really Fast Deep Clone); only used on FE
  • styled-components (introduced)
  • webrtc-adapter: (removed: not used)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant