Skip to content

Update devDependencies to fix the npm vulnerabilities #3799

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 5, 2019
Merged

Update devDependencies to fix the npm vulnerabilities #3799

merged 1 commit into from
Mar 5, 2019

Conversation

@XhmikosR
Copy link
Contributor

@XhmikosR XhmikosR commented Mar 2, 2019
edited
Loading

The semver compliant ones, i.e. no major version bump.

This fixes 68 vulnerabilities. (from 93 down to 25)

Not sure which Node.js version the contributors use, but IMO they should use >=8 to get npm 6 which has npm audit support.

@coveralls
Copy link

coveralls commented Mar 2, 2019
edited
Loading

Coverage Status

Coverage increased (+0.03%) to 91.713% when pulling 6e51727 on XhmikosR:xmr-npm-audit into 22831c5 on mochajs:master.

@XhmikosR XhmikosR changed the title Run npm audit fix and up devDependencies. Run npm audit fix and update devDependencies. Mar 3, 2019
@plroebuck
Copy link
Contributor

plroebuck commented Mar 3, 2019

Just because a new version of a dependency has been released doesn't imply it should be updated here. Checks should be done on each individually to ensure they complied with semver rules.

@XhmikosR
Copy link
Contributor Author

XhmikosR commented Mar 3, 2019
edited
Loading

I didn't just update the version, just to update it. As you can see the dep tree is flattened a lot and many npm vulnerabilities are fixed.

That's a huge thing you should care about.

@XhmikosR
Copy link
Contributor Author

XhmikosR commented Mar 4, 2019
edited
Loading

Down to 25 vulnerabilities, from 93.

Also fixes those npm i errors coming from the zopfli wrapper, due to the assetgraph-builder update

@XhmikosR XhmikosR changed the title Run npm audit fix and update devDependencies. Update devDependencies to fix the npm vulnerabilities Mar 4, 2019
@XhmikosR
Update devDependencies.
6e51727 
The semver compliant ones, i.e. no major version bump.

This fixes 68 vulnerabilities (93 -> 25).
@boneskull
Copy link
Member

boneskull commented Mar 5, 2019

LGTM, thanks.

@boneskull boneskull added semver-patch implementation requires increase of "patch" version number; "bug fixes" type: chore generally involving deps, tooling, configuration, etc. labels Mar 5, 2019
@boneskull boneskull merged commit 754cbf9 into mochajs:master Mar 5, 2019
@XhmikosR XhmikosR deleted the xmr-npm-audit branch March 5, 2019 21:19
@boneskull boneskull added this to the v6.1.0 milestone Mar 19, 2019
This was referenced Oct 26, 2019
Open
Open
Open
@snyk-bot snyk-bot mentioned this pull request Nov 25, 2019
Open
@snyk-bot snyk-bot mentioned this pull request Apr 9, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

semver-patch implementation requires increase of "patch" version number; "bug fixes" type: chore generally involving deps, tooling, configuration, etc.

Projects

None yet

Milestone

v6.1.0

Development

Successfully merging this pull request may close these issues.

4 participants

@XhmikosR @coveralls @plroebuck @boneskull