Skip to content
This repository was archived by the owner on Jul 9, 2025. It is now read-only.

fix: 34 security alerts at or above high severity #9193

Closed
BruceHaley wants to merge 22 commits into from
Closed

fix: 34 security alerts at or above high severity #9193

BruceHaley wants to merge 22 commits into from

Conversation

@BruceHaley
Copy link
Contributor

@BruceHaley BruceHaley commented May 18, 2022
edited
Loading

Fixes #minor

Description

The Component Detection task in the Azure DevOps pipeline reports 34 security alerts at or above 'High' severity in the BotFramework-Composer repo. This fixes those vulnerabilities. They are:

ansi-regex 3.0.0
ansi-regex 4.1.0
ansi-regex 5.0.0
async 0.9.2
async 2.6.2
async 2.6.3
async 3.2.0
axios 0.21.1
ejs 3.1.6
eventsource 1.0.7
follow-redirects 1.13.0
follow-redirects 1.13.1
follow-redirects 1.13.3
follow-redirects 1.14.0
follow-redirects 1.14.1
glob-parent 3.1.0
minimist 0.0.10
minimist 1.2.5
moment 2.29.1
node-fetch 1.7.3
node-fetch 2.6.0
node-fetch 2.6.1
set-value 3.0.2
shelljs 0.8.4
simple-get 2.8.1
tar 4.4.8
tar 4.4.8
tar 4.4.8
tar 4.4.8
tar 4.4.8
tar 6.1.6
tar 6.1.6
tar 6.1.6
tmpl 1.0.4

@BruceHaley BruceHaley requested a review from johnataylor May 18, 2022 21:23
@BruceHaley BruceHaley mentioned this pull request May 18, 2022
Closed
@BruceHaley BruceHaley changed the title Fix 34 security alerts at or above high severity fix: 34 security alerts at or above high severity May 18, 2022
@tonyanziano
Copy link
Contributor

tonyanziano commented May 19, 2022

Hey Bruce, just a heads up:

Back in January / February, we switched the Composer build tool over to Yarn v2+ (berry) to be compliant with Cyber EO requirements.

Yarn v2 operates on a completely separate set of lock files from yarn 1. You can see an example of such a lock file here: https://github.com/microsoft/BotFramework-Composer/blob/main/Composer/yarn-berry.lock

So the changes you have made in this PR will make dependabot and the security alert system happy, but it won't actually have any effect on what is packaged with the production Composer app until the v2 dependencies are updated.

@OEvgeny and I were considering completely getting rid of the v1 lock files and tooling so that we would no longer have to maintain two sets of lock files.

@cypress
Copy link

cypress bot commented Jun 16, 2022


Test summary

16 0 1 0Flakiness 0

Run details
Project Composer
Status Passed
Commit 979f65b
Started Jun 16, 2022 10:14 PM
Ended Jun 16, 2022 10:19 PM
Duration 05:15 💡
OS Linux Ubuntu - 20.04
Browser Electron 89

View run in Cypress Dashboard ➡️

This comment has been generated by cypress-bot as a result of this project's GitHub integration settings. You can manage this integration in this project's settings in the Cypress Dashboard

@BruceHaley BruceHaley changed the title fix: 34 security alerts at or above high severity 34 security alerts at or above high severity Jun 24, 2022
@BruceHaley BruceHaley changed the title 34 security alerts at or above high severity fix: 34 security alerts at or above high severity Jun 24, 2022
@BruceHaley
Copy link
Contributor Author

BruceHaley commented Jul 8, 2022

Abandoned: These, down to 20, will be revisited after #9298 is merged.

@BruceHaley BruceHaley closed this Jul 8, 2022
@BruceHaley BruceHaley deleted the bruce/cgalertfixes5-12b branch July 14, 2022 17:27
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@natalgar natalgar Awaiting requested review from natalgar

@VamsiModem VamsiModem Awaiting requested review from VamsiModem

@benbrown benbrown Awaiting requested review from benbrown

@tonyanziano tonyanziano Awaiting requested review from tonyanziano

@cwhitten cwhitten Awaiting requested review from cwhitten

@boydc2014 boydc2014 Awaiting requested review from boydc2014

@a-b-r-o-w-n a-b-r-o-w-n Awaiting requested review from a-b-r-o-w-n

@beyackle beyackle Awaiting requested review from beyackle

@srinaath srinaath Awaiting requested review from srinaath

@tdurnford tdurnford Awaiting requested review from tdurnford

@johnataylor johnataylor Awaiting requested review from johnataylor

Assignees

@gabog gabog

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@BruceHaley @tonyanziano @gabog