-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
packages updated #1492
packages updated #1492
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## dev #1492 +/- ##
=======================================
Coverage 91.48% 91.48%
=======================================
Files 29 29
Lines 4617 4617
=======================================
Hits 4224 4224
Misses 393 393 ☔ View full report in Codecov by Sentry. |
I'm a little confused. Why can't we update the packages that are pop up in the vulnerabilities? These package versions aren't changed, only the ones that they depend on? Feels like it should be both in that case? Updating minimatch etc and also serve etc? |
Because we don't use them directly. They are, instead, used by the other libraries we need. Packages.json defines the libraries we need for the application to work. Node automatically updates packages-dev which the dependencies for that libraries. Is the same issue with the pyhton packages and the dependency tree, but in this case node automatically resolves the conflict and tells you what you need to update. |
Ah ok! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've tested manually and from what I can tell there should be no issues.
Read this before submitting the PR
If there is a field which you are unsure about, enter the edit mode of this description or go to the PR template; There are invisible comments providing descriptions which may be of help.
1. Description / Summary
Updating vulnerable node packages
The vulnerabilities identified by Trivy are:
To solve the dependencies, running
npm audit --fix
Gives the packages that are needed to update to solve the vulnerabilities:
Perfrom update:
npm install [email protected] [email protected] [email protected] --save-dev
Check for breaking changes:
Re-build the image and execute the suite of tests to check no breaking tests.
Read the changelogs
2. Jira task / GitHub issue
https://scilifelab.atlassian.net/jira/software/projects/DDS/boards/13?selectedIssue=DDS-1837
3. Type of change
What type of change(s) does the PR contain?
Check the relevant boxes below. For an explanation of the different sections, enter edit mode of this PR description template.
4. Additional information
master
branch: _If checked, read the release instructions5. Actions / Scans
Check the boxes when the specified checks have passed.
For information on what the different checks do and how to fix it if they're failing, enter edit mode of this description or go to the PR template.