Potential security issues in outdated dependencies

[arm4b]

Warning! st2web needs help and React/UI maintainer!

st2web has a lot of security warnings in its outdated npm dependencies located in https://github.com/StackStorm/st2web/blob/master/yarn.lock

(https://github.com/StackStorm/st2web/network/alerts)

We'll need someone experienced in React/UI/Javascript to update them, making sure st2web functionality/tests are still working as before.

We'll probably need to get another round of manual/UI testing searching for regressions once the patching is done.

[guzzijones]

I am running an npm update now. I see the deprecated warnings. I will take a stab at this.

[guzzijones]

I am working on removing cryptiles and changing to @hapi/cryptiles in each modules.

[punkrokk]

Let @bgaeddert know your progress, he was working on this also

…

On May 8, 2020, at 5:03 PM, AJ ***@***.***> wrote:  I am working on removing cryptiles and changing to @hapi/cryptiles in each modules. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe.

[guzzijones]

@bgaeddert please pop in here if you are working on another.

[punkrokk]

@armab I think we addressed this with #757, do you agree?

[arm4b]

@punkrokk I'd say partially. While #757 removes some unused dependencies, there is no PR which updates existing dependencies.

Currently https://github.com/StackStorm/st2web/network/alerts still shows some 25 security issues, which is an improvement comparing to 36 before.

[punkrokk]

@armab This PR: #794 addressed all of this. If you approve, please close.

[arm4b]

I guess we need to merge the #794 first to understand if https://github.com/StackStorm/st2web/network/alerts is clear.
Do we have someone who can review that PR?

[nmaludy]

These issues have been remediated and only development dependencies are outlying as of the 3.3.0 release!