Skip to content

Resolve vulnerabilities found by npm audit #846

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
brcrista merged 7 commits into from
Jun 16, 2021
Merged

Resolve vulnerabilities found by npm audit #846

brcrista merged 7 commits into from
Jun 16, 2021

Conversation

@brcrista
Copy link
Contributor

@brcrista brcrista commented Jun 14, 2021
edited
Loading

In #845 the workflow https://github.com/actions/toolkit/actions/workflows/audit.yml failed because of some known vulnerabilities.

Most of these I fixed with npm audit fix. However, the lerna package, which is a dev dependency, needs to be updated (discussion). Therefore, I'm changing the workflow to run with --production, which excludes dev dependencies.

Sample output:

image

@brcrista brcrista requested review from konradpabjan and thboop June 14, 2021 17:35
@brcrista brcrista requested a review from a team as a code owner June 14, 2021 17:35
@brcrista brcrista requested a review from a team June 14, 2021 17:35
brcrista
brcrista commented Jun 14, 2021
View reviewed changes
brcrista
brcrista commented Jun 14, 2021
View reviewed changes
@brcrista brcrista mentioned this pull request Jun 14, 2021
Closed
@konradpabjan
Copy link
Contributor

konradpabjan commented Jun 14, 2021

Why is the lockfileVersion being bumped to version 2 in all the package-lock.json files? 🤔

It's introducing quite a bit changes that I think we can avoid

@brcrista
Copy link
Contributor Author

brcrista commented Jun 14, 2021

@konradpabjan that's probably because I ran npm audit fix with npm 7. I'll undo and redo with npm 6.

@brcrista brcrista force-pushed the brcrista/audit-fix branch from be8c8a7 to f1ba29d Compare June 14, 2021 19:14
konradpabjan
konradpabjan approved these changes Jun 14, 2021
View reviewed changes
Copy link
Contributor

@konradpabjan konradpabjan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! 🚀

@thboop could you confirm if these changes are good

thboop
thboop reviewed Jun 14, 2021
View reviewed changes
thboop
thboop approved these changes Jun 16, 2021
View reviewed changes
Copy link
Collaborator

@thboop thboop left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

thboop
thboop reviewed Jun 16, 2021
View reviewed changes
@brcrista brcrista merged commit 9167ce1 into main Jun 16, 2021
@brcrista brcrista deleted the brcrista/audit-fix branch June 16, 2021 13:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@thboop thboop thboop approved these changes

+1 more reviewer

@konradpabjan konradpabjan konradpabjan approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@brcrista @konradpabjan @thboop