Skip to content

Patial fix for issue #394 vulnerabilities in dependencies reported by npm audit #396

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 13 commits into
base: master
Choose a base branch
from
Open

Patial fix for issue #394 vulnerabilities in dependencies reported by npm audit #396

wants to merge 13 commits into from

Conversation

BePo65
Copy link

@BePo65 BePo65 commented Dec 3, 2024

To remove the long list of vulnerabilities you get when updating packages in start-server-and-test I tried to update all used (dev-) Dependencies to the latest version. Some packages cannot be updated, because that would require to switch to esm-only format or requires a node version higher than V18 (which is the latest supported version and in maintenance mode by now).

Updating the packages reduces the list of vulnerabilities from

146 vulnerabilities (5 low, 34 moderate, 81 high, 26 critical)

to

59 vulnerabilities (3 low, 20 moderate, 27 high, 9 critical)

Not so bad, but far from perfect. It shows that some of the used packages have not been maintained for some years now.

Things I stumbled over during the updates:

  • chai v5 is esm only (and as a consequence we cannot update sinon-chai to v4 as this would require chai v5)
  • dependency-check is deprecated and recommends using knip (what I did)
  • prettier-standard seems to be abandoned (see This project is abandoned sheerun/prettier-standard#137); I used prettier here. Unluckily this results in the effect that running pretty removes the space after the function keyword and running lint (to be exact: running standard) adds the space again.

Is it worth merging this pr? To be true, I am not completely convinced.

BePo65 added 13 commits December 2, 2024 14:19
@BePo65
fix(deps): replace prettier-standard with prettier
c8ba8b6 
Running 'pretty' results in some minor formatting changes (space after
function keyword is missing); running 'standard' will fix this.
See also discussion in issue standard/standard#1949.
@BePo65
fix(deps): update dependencies with minor version changes
67a9812
@BePo65
fix(deps): update dependencies with simple major version changes
3239cf2
@BePo65
fix(deps): replace deprecated dependency-check with knip
82c8303
@BePo65
fix(deps): update package snap-shot-it
b41dada
@BePo65
fix(deps): update package lazy-ass
9ba2410
@BePo65
fix(deps): update package semantic-release
78ca1c8 
semantic-release v20 is an esm-only package; requires node >=v18
semantic-release >=v21 would require node>=20
Updated github ci workflow to run tests on node v18, 20, 22
@BePo65
fix(deps): update package standard
dc752ef 
Replaces backtick with tick where applicable
@BePo65
fix(deps): update package mocha
582b6d4
@BePo65
fix(deps): update packages chai, sinon and sinon-chai
d48d491 
Chai is only v4, as v5 is esm only
sinon-chai is v3, as v4 requires chai v4
@BePo65
fix(deps): update package got
782b1b0
@BePo65
fix(deps): refresh [email protected]
aa50c44 
All versions >=6 are esm only
@BePo65
fix(deps): update knip
c8eab54
@MikeMcC399 MikeMcC399 mentioned this pull request Jan 30, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@BePo65