Skip to content

Run npm audit fix. Major lerna semver upgrade included. #1138

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
lvpx wants to merge 1 commit into from
Closed

Run npm audit fix. Major lerna semver upgrade included. #1138

lvpx wants to merge 1 commit into from

Conversation

@lvpx
Copy link
Contributor

@lvpx lvpx commented Jul 26, 2022

The aim of this PR is to investigate failures of the npm audit that runs on every commit.

The current scenario on run gives the following error:

found 10 vulnerabilities (4 moderate, 4 high, 2 critical) in 1361 scanned packages
  run `npm audit fix` to fix 8 of them.
  2 vulnerabilities require semver-major dependency updates.
Error: Process completed with exit code 1.

So post running npm audit fix

# npm audit report

parse-path  <5.0.0
Severity: high
Authorization Bypass in parse-path - https://github.com/advisories/GHSA-3j8f-xvm3-ffx4
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/parse-path
  parse-url  3.0.0 - 6.0.5
  Depends on vulnerable versions of parse-path
  node_modules/parse-url
    git-up  2.1.0 - 5.0.0
    Depends on vulnerable versions of parse-url
    node_modules/git-up
      git-url-parse  11.0.0 - 11.6.0
      Depends on vulnerable versions of git-up
      node_modules/git-url-parse
        @lerna/github-client  <=5.1.7
        Depends on vulnerable versions of git-url-parse
        node_modules/@lerna/github-client
          @lerna/version  3.11.0 - 5.1.7
          Depends on vulnerable versions of @lerna/github-client
          node_modules/@lerna/version
            @lerna/publish  3.11.0 - 5.1.7
            Depends on vulnerable versions of @lerna/version
            node_modules/@lerna/publish
            lerna  3.11.0 - 5.1.7
            Depends on vulnerable versions of @lerna/version
            node_modules/lerna

8 high severity vulnerabilities

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Finally, after running npm audit fix --force

found 0 vulnerabilities

We need to test the impact of upgrading lerna to v5.2.0 from previous v4.0.0.

@lvpx lvpx requested a review from tiwarishub July 26, 2022 11:06
@lvpx lvpx requested a review from a team as a code owner July 26, 2022 11:06
@tiwarishub
Copy link
Contributor

tiwarishub commented Jul 26, 2022

👋 @actions/actions-runtime , @actions/artifacts-actions and @actions/actions-cache , Please review this PR for npm audit fix

@lvpx lvpx changed the title [WIP] Run npm audit fix. Major lerna semver upgrade included. Run npm audit fix. Major lerna semver upgrade included. Aug 5, 2022
@lvpx
Copy link
Contributor Author

lvpx commented Aug 13, 2022

Closing this as it has already been taken care of in PR #1140.

@lvpx lvpx closed this Aug 13, 2022
@Draconic115 Draconic115 mentioned this pull request Aug 16, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tiwarishub tiwarishub Awaiting requested review from tiwarishub

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@lvpx @tiwarishub