Merged
Conversation
Bumps [vue](https://github.com/vuejs/core) and [vue-template-compiler](https://github.com/vuejs/vue). These dependencies needed to be updated together. Updates `vue` from 2.6.11 to 2.7.0 - [Release notes](https://github.com/vuejs/core/releases) - [Changelog](https://github.com/vuejs/core/blob/main/CHANGELOG.md) - [Commits](https://github.com/vuejs/core/commits) Updates `vue-template-compiler` from 2.6.11 to 2.7.0 - [Release notes](https://github.com/vuejs/vue/releases) - [Changelog](https://github.com/vuejs/vue/blob/main/CHANGELOG.md) - [Commits](vuejs/vue@v2.6.11...v2.7.0) --- updated-dependencies: - dependency-name: vue dependency-type: direct:production update-type: version-update:semver-minor - dependency-name: vue-template-compiler dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [decode-uri-component](https://github.com/SamVerschueren/decode-uri-component) from 0.2.0 to 0.2.2. - [Release notes](https://github.com/SamVerschueren/decode-uri-component/releases) - [Commits](SamVerschueren/decode-uri-component@v0.2.0...v0.2.2) --- updated-dependencies: - dependency-name: decode-uri-component dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [qs](https://github.com/ljharb/qs) from 6.10.1 to 6.11.0. - [Release notes](https://github.com/ljharb/qs/releases) - [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md) - [Commits](ljharb/qs@v6.10.1...v6.11.0) --- updated-dependencies: - dependency-name: qs dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [jsonwebtoken](https://github.com/auth0/node-jsonwebtoken) from 8.5.1 to 9.0.0. - [Release notes](https://github.com/auth0/node-jsonwebtoken/releases) - [Changelog](https://github.com/auth0/node-jsonwebtoken/blob/master/CHANGELOG.md) - [Commits](auth0/node-jsonwebtoken@v8.5.1...v9.0.0) --- updated-dependencies: - dependency-name: jsonwebtoken dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [@babel/core](https://github.com/babel/babel/tree/HEAD/packages/babel-core) from 7.15.8 to 7.20.12. - [Release notes](https://github.com/babel/babel/releases) - [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md) - [Commits](https://github.com/babel/babel/commits/v7.20.12/packages/babel-core) --- updated-dependencies: - dependency-name: "@babel/core" dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [json5](https://github.com/json5/json5) from 1.0.1 to 1.0.2. - [Release notes](https://github.com/json5/json5/releases) - [Changelog](https://github.com/json5/json5/blob/main/CHANGELOG.md) - [Commits](json5/json5@v1.0.1...v1.0.2) --- updated-dependencies: - dependency-name: json5 dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [redis](https://github.com/redis/redis-py) from 3.5.3 to 4.4.2. - [Release notes](https://github.com/redis/redis-py/releases) - [Changelog](https://github.com/redis/redis-py/blob/master/CHANGES) - [Commits](redis/redis-py@3.5.3...v4.4.2) --- updated-dependencies: - dependency-name: redis dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [flask-wtf](https://github.com/wtforms/flask-wtf) from 0.15.1 to 1.1.1. - [Release notes](https://github.com/wtforms/flask-wtf/releases) - [Changelog](https://github.com/wtforms/flask-wtf/blob/main/docs/changes.rst) - [Commits](pallets-eco/flask-wtf@v0.15.1...v1.1.1) --- updated-dependencies: - dependency-name: flask-wtf dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [cookiejar](https://github.com/bmeck/node-cookiejar) from 2.1.3 to 2.1.4. - [Release notes](https://github.com/bmeck/node-cookiejar/releases) - [Commits](https://github.com/bmeck/node-cookiejar/commits) --- updated-dependencies: - dependency-name: cookiejar dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]>
…oken-9.0.0' into security-vulns
…ri-component-0.2.2' into security-vulns
…r-2.1.4' into security-vulns
…into security-vulns
…0.2' into security-vulns
…re-7.20.12' into security-vulns
…0' into security-vulns
…vue-template-compiler-2.7.0' into security-vulns
Member
ashley-hebler
left a comment
ashley-hebler
left a comment
There was a problem hiding this comment.
All the functionality worked for me. I'm nervous that this includes some major version bumps. Not to say we shouldn't do them, but just curious if you were able to look into any of the implications there?
I remember @erxclau had a good process for this where he'd check in on what each dependency did for us and cross referenced that with the release notes. It's fortunate that the upgrades in this PR don't require any code changes, but it'd still be nice to know a little background on some of the bigger changes so we know we're looking in the right place for bugs.
ashley-hebler
approved these changes
Feb 9, 2023
Member
ashley-hebler
left a comment
ashley-hebler
left a comment
There was a problem hiding this comment.
Just did a quick check by pushing to staging and all seems to WFM!
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What's this PR do?
Fixes an array of vulnerabilities recommended by Dependabot, including:
Why are we doing this? How does it help us?
Good to stay on top of dependency upgrades for security!
Here are some major upgrades of note:
redis 4.4.2
The breaking changes in Redis 4 don't seem to affect this app:
Impact: JSON commands available since 4.0.0beta3 now better match RedisJSON
urllib.parse.unquote. Prior versions of redis-py supported this by
specifying the decode_components flag to the from_url functions.
This is now done by default and cannot be disabled. Allow URL encoded parameters in Redis URLs by Default redis/redis-py#589
(see commands.py). Anyone importing redis.client to access commands
directly should import redis.commands. Migrating commands to a mixin redis/redis-py#1534, Merged new sentinel commands from #834 redis/redis-py#1550
flask-wtf 1.1.1
Flask-wtf v1 doesn't appear to have any breaking changes when migrating from 0.15.1. Support for python 3.6 was dropped in v1.1, but we're using python 3.9 in this repo so it doesn't affect us.
jsonwebtoken 9.0.0
None of the breaking changes appear to affect us:
How should this be manually tested?
Spin up the donations app and:
How should this change be communicated to end users?
Are there any smells or added technical debt to note?
At time of writing, this PR does not address all Dependabot recommended fixes but we have quite a few. I thought it might be best to handle them in batches.
What are the relevant tickets?
Have you done the following, if applicable:
(optional: add explanation between parentheses)
TODOs / next steps: