Run yarn audit on Hearth and fix any security issues #2432
Description
-
Ask Jembi to make us contributors of Hearth.
-
Fork Hearth https://github.com/jembi/hearth , run yarn audit on it and upgrade security patches then review solution with Riku / Euan
-
Riku and Euan to make a PR on Hearth repo for Ryan to merge in
Dependencies with Critical vulnerabilities:
- fixed broken tests
- tap -> Bumped up from 10.1 to 12.6
- talisman -> Bumped up from 0.21.0 to 1.1.4
- standard -> Bumped up from 8.6.0 to 11.0.0
- fhir -> Used yarn resolutions for lodash and xmlbuilder
Dependencies with High vulnerabilities:
- tap -> Bumped up from 12.6 to 14.10
- mongodb -> Bumped up from 2.2.22 to 3.5.4
- codecov -> Bumped up from 3.6.1 to 3.8.3
- nconf -> Bumped up from 0.10.0 to 0.11.3
- libxmljs -> Already at the latest version that is currently available so need to use yarn resolutions for its dependencies
- node-pre-gyp -> This package is now deprecated
- tar -> Added resolution for tar 4.4.19
- ini
- node-pre-gyp -> This package is now deprecated
Dependencies with Moderate vulnerabilities:
- snazzy -> Bumped up from 8.0.0 to 9.0.0
- standard -> Bumped up from 11.0.0 to 16.0.4
- tap -> Bumped up from 14.10 to 15.2.3
- urijs -> Bumped up from 1.19.2 to 1.19.10
- jsprim -> Bumped up from 1.4.1 to 1.4.2
Node engine limitation
Previously hearth was limited to using node >= 6.9.0 and < 9.0.0 because using anything newer
would cause the build process to fail. The issue was actually with fhir->libxmljs->nan and using
libxmljs >= 0.18.8 made it possible to remove the engine limitation.
Now it works with node v14.18.1