Skip to content

Update dependencies - 2nd try (security) #184

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
arm4b merged 8 commits into from
Nov 27, 2023
Merged

Update dependencies - 2nd try (security) #184

arm4b merged 8 commits into from
Nov 27, 2023

Conversation

@arm4b
Copy link
Member

@arm4b arm4b commented Nov 23, 2023

Second stage to update upstream dependencies #133

A follow-up to #183 which updates dependencies minimally via npm audit fix, this PR updates things in a more radical way via npm update.

Before:

found 180 vulnerabilities (12 low, 92 moderate, 52 high, 24 critical) in 668 scanned packages

After:

added 136 packages from 120 contributors, removed 143 packages, updated 218 packages, moved 9 packages and audited 700 packages in 885.083s

found 87 vulnerabilities (69 moderate, 16 high, 2 critical)

This may potentially break things, so creating a dedicated PR in case if we'll need to revert it in the future (after e2e st2chatops tests).

@arm4b arm4b added the security label Nov 23, 2023
@arm4b
Copy link
Member Author

arm4b commented Nov 23, 2023
edited
Loading

The last working state after reverting failing hubot-spark/@webex updates:

-found 87 vulnerabilities (69 moderate, 16 high, 2 critical)
+found 131 vulnerabilities (12 low, 77 moderate, 32 high, 10 critical)

which is still better than:

found 180 vulnerabilities (12 low, 92 moderate, 52 high, 24 critical)

@arm4b arm4b marked this pull request as ready for review November 24, 2023 00:00
@arm4b arm4b requested a review from a team November 24, 2023 00:01
@arm4b arm4b linked an issue Nov 24, 2023 that may be closed by this pull request
Regenerate npm-shrinkwrap to up-to-date dependencies (security) #133
Closed
nzlosh
nzlosh approved these changes Nov 24, 2023
View reviewed changes
Copy link
Contributor

@nzlosh nzlosh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's merge and see what happens.

Base automatically changed from update/dependencies to master November 24, 2023 08:05
@arm4b arm4b requested a review from a team November 24, 2023 17:43
@arm4b
Copy link
Member Author

arm4b commented Nov 24, 2023
edited
Loading

ChatOps e2e tests for #133 were ✅ .
This PR is ready to be merged too!

@arm4b arm4b enabled auto-merge November 24, 2023 19:07
@arm4b arm4b merged commit f458d55 into master Nov 27, 2023
@arm4b arm4b deleted the update/dependencies2 branch November 27, 2023 07:58
@arm4b
Copy link
Member Author

arm4b commented Nov 27, 2023

e2e tests are doing good, - glad it worked.

Worth mentioning that our e2e run tests against slack. There is more risk for other supported chat systems. We should ask community to check if things still work in other chat systems during the community pre-release testing.

@arm4b arm4b mentioned this pull request Nov 30, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nzlosh nzlosh nzlosh approved these changes

@amanda11 amanda11 amanda11 approved these changes

Assignees

No one assigned

Labels

security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Regenerate npm-shrinkwrap to up-to-date dependencies (security)

4 participants

@arm4b @nzlosh @amanda11