Skip to content

Security upgrades #203

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
euanmillar wants to merge 25 commits into
base: master
Choose a base branch
from
Open

Security upgrades #203

euanmillar wants to merge 25 commits into from

Conversation

@euanmillar
Copy link
Collaborator

@euanmillar euanmillar commented Mar 30, 2022

Dependencies with Critical vulnerabilities:

  • fixed broken tests
  • tap -> Bumped up from 10.1 to 12.6
  • talisman -> Bumped up from 0.21.0 to 1.1.4
  • standard -> Bumped up from 8.6.0 to 11.0.0
  • fhir -> Used yarn resolutions for lodash and xmlbuilder

Dependencies with High vulnerabilities:

  • tap -> Bumped up from 12.6 to 14.10
  • mongodb -> Bumped up from 2.2.22 to 3.5.4
  • codecov -> Bumped up from 3.6.1 to 3.8.3
  • nconf -> Bumped up from 0.10.0 to 0.11.3
  • libxmljs -> Already at the latest version that is currently available so need to use yarn resolutions for its dependencies
    • node-pre-gyp -> This package is now deprecated
      • tar -> Added resolution for tar 4.4.19
      • ini

Dependencies with Moderate vulnerabilities:

  • snazzy -> Bumped up from 8.0.0 to 9.0.0
  • standard -> Bumped up from 11.0.0 to 16.0.4
  • tap -> Bumped up from 14.10 to 15.2.3
  • urijs -> Bumped up from 1.19.2 to 1.19.10
  • jsprim -> Bumped up from 1.4.1 to 1.4.2

Node engine limitation

Previously hearth was limited to using node >= 6.9.0 and < 9.0.0 because using anything newer
would cause the build process to fail. The issue was actually with fhir->libxmljs->nan and using
libxmljs >= 0.18.8 made it possible to remove the engine limitation.

Now it works with node v14.18.1

@Zangetsu101 @euanmillar
Fix broken tests
aade0ef
@Zangetsu101 @euanmillar
Bump up tap from 10.1 to 12.6
7bb65b4
@Zangetsu101 @euanmillar
Bump up talisman from 0.21.0 to 1.1.4
50b66da
@Zangetsu101 @euanmillar
Bump up standard from 8.6.0 to 11.0.0
36179be
@Zangetsu101 @euanmillar
Bump up standard from 11.0.0 to 12.0.1
67317f2
@Zangetsu101 @euanmillar
Bump up mongodb from 2.2.22 to 3.5.4
d156dd3
@Zangetsu101 @euanmillar
Remove engine limitations
895bf29 
The main issue which was preventing hearth from building was in
libxmljs->nan and it was fixed in nan >= 2.8.0 which is used in
libxmljs >= 0.18.8
@Zangetsu101 @euanmillar
Bump up tap from 12.6 to 14.10
fbf9c32
@Zangetsu101 @euanmillar
Make tests run serially
8cd1fb0 
Some tests fail if the tests run in parallel.
@Zangetsu101 @euanmillar
Bump up nconf from 0.10.0 to 0.11.3
8c36e14
@Zangetsu101 @euanmillar
Bump up codecov from 3.6.1 to 3.8.3
8430344
@Zangetsu101 @euanmillar
Add resolution for tar 4.4.19
31ba9b4 
Tar is a dependency of libxmljs->node-pre-gyp and libxmljs is
already at the latest version that is currently available.
Furthermore, node-pre-gyp is now deprecated so had to add
resolution directly for tar.
@Zangetsu101 @euanmillar
Upgrade ini to 1.3.8
7872e59
@Zangetsu101 @euanmillar
Bump up standard from 12.0.1 to 13.1.0
cbd9583
@Zangetsu101 @euanmillar
Bump up standard from 13.1.0 to 14.3.4
3363ced
@Zangetsu101 @euanmillar
Dedup 'mkdirp' in lock file
c7bf7f0
@Zangetsu101 @euanmillar
Upgrade hosted-git-info
781ffe1
@Zangetsu101 @euanmillar
Dedup minmist
cbe4005
@Zangetsu101 @euanmillar
Bump up snazzy from 8.0.0 to 9.0.0
e43c59e
@Zangetsu101 @euanmillar
Bump up standard from 14.3.4 to 15.0.1
a37cae4
@Zangetsu101 @euanmillar
Bump up standard from 15.0.1 to 16.0.4
dccd7d9
@Zangetsu101 @euanmillar
Bump up tap from 14.10 to 15.2.3
d3f9e6c
@Zangetsu101 @euanmillar
Bump up urijs from 1.19.2 to 1.19.10
5ebe118
@Zangetsu101 @euanmillar
Bump up jsprim from 1.4.1 to 1.4.2
1fe71bf
@Zangetsu101 @euanmillar
Dedup string-width
aa7ac63
@euanmillar euanmillar requested a review from rcrichton March 30, 2022 15:25
@euanmillar euanmillar mentioned this pull request Mar 30, 2022
Closed
21 tasks
@rikukissa rikukissa mentioned this pull request May 19, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rikukissa rikukissa rikukissa approved these changes

@rcrichton rcrichton Awaiting requested review from rcrichton

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@euanmillar @rikukissa @Zangetsu101