Conversation
|
👍 Dependency issues cleared. Learn more about Socket for GitHub ↗︎ This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored. Ignoring: Next stepsTake a deeper look at the dependencyTake a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev. Remove the packageIf you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency. Mark a package as acceptable riskTo ignore an alert, reply with a comment starting with |
|
🚀 Expo preview is ready!
|
|
@SocketSecurity ignore npm/@standard-schema/utils@0.3.0 |
Lemonexe
force-pushed
the
bump-foundation-deps-2025.03
branch
2 times, most recently
from
bd0cec0 to
fed8b39
Compare
Lemonexe
requested review from
a team,
komret,
marekrjpolak,
martykan,
mroz22 and
szymonlesisz
as code owners
| }, | ||
| "dependencies": { | ||
| "@hookform/resolvers": "3.10.0", | ||
| "@hookform/resolvers": "^4.1.3", |
There was a problem hiding this comment.
I went through changelog as it is a mojor version upgrade and ti seems ok
There was a problem hiding this comment.
Thanks, I used yarn up and did not notice. It usually upholds the range specifier (it does with electron).
Ofc I can lock it to patch, though mayb we don't have to 🤔
It's just wrapper for Yup for form validation, so I don't believe that to be critical from security or maintenance perspetive, what do you think?
There was a problem hiding this comment.
wait wait there is BC for "ajv" and to my suprose we somehow use it: "ajv": "^8.17.1",
There was a problem hiding this comment.
BUt it seems we only use it in suite-common/token-definitions/scripts/utils/validate.ts so it shall not be affected by the possible incompatibility of the formhok stuff
There was a problem hiding this comment.
Well that seems ok. We have ajv installed directly and import it directly.
If @hookform/resolvers just changed its wrapper for ajv, than we are fine with that, because we don't use ajv through @hookform/resolvers
| languageName: node | ||
| linkType: hard | ||
|
|
||
| "ignore@npm:^6.0.0": |
There was a problem hiding this comment.
☝️ this is sus, dedupe wont solve it?
This may be legit if those version are incompatible and we have 2 dependencies who needs different versions. But its sus.
There was a problem hiding this comment.
It won't; I always run yarn dedupe for each commit when bumping deps.
I don't consider it sus. We already had ignore@5 and ignore@7. It is required by multiple libs; one of them is unified-engine which went from 5 to 6, so now we have 5,6,7 🤷
Dedupe always considers major version incompatible, which seems reasonable to me?
This particular version ends up only as dev dependency btw, because unified-engine is required by eslint-mdx.
marekrjpolak
left a comment
marekrjpolak
left a comment
There was a problem hiding this comment.
State patch feature LGTM.
Lemonexe
force-pushed
the
bump-foundation-deps-2025.03
branch
from
fed8b39 to
d346559
Compare
|
Ad failing [Test] suite-desktop e2e: only those assertions fail the test, so I'm merging: |
3 participants
Description
Update most Foundation-related dependencies.
major version:
minor version:
patch version:
none
not updated:
tiny-secp256k1TODO in #12261electron-storeblocked by #14482ℹ️ For reference, last bump foundation deps PR was #16880
👁️ I skimmed through all code changes except eslint-related packages and
electron; found nothing suspicious ✅Related Issue
Resolve #17495
QA
👁️ Besides CI checks, I have tested locally:
@coderabbitai ignore