Skip to content

fix(security): vulnerabilities + remove coveralls#1333

Merged
benjlevesque merged 7 commits intomasterfrom
fix/security/vulnerabilities
Jan 18, 2024
Merged

fix(security): vulnerabilities + remove coveralls#1333
benjlevesque merged 7 commits intomasterfrom
fix/security/vulnerabilities

Conversation

@benjlevesque
Copy link
Contributor

@benjlevesque benjlevesque commented Jan 18, 2024
edited
Loading

Changes

This PR upgrades Lerna from 3 to 6, there is no breaking change and the new version is actually pretty nice. We'll need to confirm publish still works. NB: Lerna was the cause of many vulnerabilities.

It also drops coveralls and the publish-coverage step from the CI. I don't think code coverage is worth having critical vulnerabilities, and there's no fix available (the library hasn't been maintained for 3 years)

Resolutions

Before:

$ yarn audit
yarn audit v1.22.19
[...]
58 vulnerabilities found - Packages audited: 1699
Severity: 19 Moderate | 32 High | 7 Critical
Done in 2.92s.

After:

$ yarn audit
yarn audit v1.22.19
0 vulnerabilities found - Packages audited: 1611
Done in 2.58s.

NB: this is optimistic, the OpenZeppelin vulnerabilities will not be removed by this PR

Critical

https://github.com/RequestNetwork/requestNetwork/security/dependabot/207
https://github.com/RequestNetwork/requestNetwork/security/dependabot/177
https://github.com/RequestNetwork/requestNetwork/security/dependabot/137
https://github.com/RequestNetwork/requestNetwork/security/dependabot/123
https://github.com/RequestNetwork/requestNetwork/security/dependabot/51
https://github.com/RequestNetwork/requestNetwork/security/dependabot/14

High

https://github.com/RequestNetwork/requestNetwork/security/dependabot/182
https://github.com/RequestNetwork/requestNetwork/security/dependabot/172
https://github.com/RequestNetwork/requestNetwork/security/dependabot/165
https://github.com/RequestNetwork/requestNetwork/security/dependabot/124
https://github.com/RequestNetwork/requestNetwork/security/dependabot/120
https://github.com/RequestNetwork/requestNetwork/security/dependabot/113
https://github.com/RequestNetwork/requestNetwork/security/dependabot/101
https://github.com/RequestNetwork/requestNetwork/security/dependabot/80
https://github.com/RequestNetwork/requestNetwork/security/dependabot/75
https://github.com/RequestNetwork/requestNetwork/security/dependabot/45

@benjlevesque benjlevesque force-pushed the fix/security/vulnerabilities branch from 8a32e1c to 77d45fb Compare January 18, 2024 10:53
@benjlevesque benjlevesque changed the title fix/security/vulnerabilities fix(security): vulnerabilities Jan 18, 2024
@benjlevesque benjlevesque changed the title fix(security): vulnerabilities fix(security): vulnerabilities + remove coveralls Jan 18, 2024
@benjlevesque benjlevesque marked this pull request as ready for review January 18, 2024 11:23
alexandre-abrioux
alexandre-abrioux approved these changes Jan 18, 2024
View reviewed changes
Copy link
Contributor

@alexandre-abrioux alexandre-abrioux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤩 amazing

@benjlevesque benjlevesque merged commit 384818b into master Jan 18, 2024
@benjlevesque benjlevesque deleted the fix/security/vulnerabilities branch January 18, 2024 13:19
@benjlevesque benjlevesque mentioned this pull request Jan 19, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@KolevDarko KolevDarko Awaiting requested review from KolevDarko

@MantisClone MantisClone Awaiting requested review from MantisClone

2 more reviewers

@alexandre-abrioux alexandre-abrioux alexandre-abrioux approved these changes

@kevindavee kevindavee kevindavee approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@benjlevesque @alexandre-abrioux @kevindavee