Skip to content
This repository has been archived by the owner on Nov 29, 2023. It is now read-only.

Prepare for 3.0.5 #384

Merged
merged 2 commits into from
Feb 9, 2022
Merged

Prepare for 3.0.5 #384

merged 2 commits into from
Feb 9, 2022

Conversation

eyelidlessness
Copy link
Contributor

@eyelidlessness eyelidlessness commented Jan 31, 2022
edited by lognaturel
Loading

Note: this will need to be updated again, pending release of enketo-core 6.0.4

  • Create release PR
  • Check Dependabot for alerts
    • Note this will not correctly reflect the vulnerabilities to be released until the dependency upgrades are merged. I do not see any vulnerabilities that aren't addressed with npm audit below.
  • Run npm update
    • Check if node-forge has been updated and if so, verify encrypted submissions end-to-end
  • Run npm audit
    • Run npm audit fix --production to apply most important fixes
      • Note there is an outstanding dependency vulnerability for jstransformer-markdown-it, which is only used to render CHANGELOG.md as HTML, which does not process arbitrary user input
  • Run npm ci
  • Run npm test
  • Run npm run build-docs
  • Update CHANGELOG.md
  • Update version in package.json
    • N/A: Bump to major version if consumers have to make changes.
  • Merge PR with all changes @lognaturel
  • Create GitHub release @lognaturel
  • Tag and publish the release @lognaturel
    • GitHub Action will publish it to npm

@eyelidlessness eyelidlessness force-pushed the prerelease/3-0-5/dependencies branch from a168da7 to 799cf04 Compare January 31, 2022 23:08
@MartijnR
Copy link
Member

MartijnR commented Feb 1, 2022

Watch out for node-forge #378 (comment). Just in the unlikely case, that users end up with encrypted records that can never be decrypted.

@eyelidlessness
Copy link
Contributor Author

@MartijnR As @lognaturel mentioned on the enketo-core PR, I have verified the node-forge upgrade works with Central's managed encryption. I have now also verified that it works with non-managed public/private key encryption through ODK Briefcase, as you said in #378 (comment)

@MartijnR
Copy link
Member

MartijnR commented Feb 4, 2022

Great! Thanks!

@eyelidlessness eyelidlessness mentioned this pull request Feb 4, 2022
Open
@eyelidlessness eyelidlessness changed the title Update dependencies and fix vulnerabilities Prepare for 3.0.5 Feb 5, 2022
@lognaturel
Copy link
Contributor

Core 6.0.4 is released. I think #373 and #365 should also be merged.

Would be good to update the build status icon to use the Github action and to have that link to /actions or something (rather than to the icon itself which is what's going on in Core right now).

@eyelidlessness eyelidlessness force-pushed the prerelease/3-0-5/dependencies branch from 740ae68 to ff013d8 Compare February 7, 2022 18:28
@eyelidlessness eyelidlessness mentioned this pull request Feb 7, 2022
Merged
4 tasks
@eyelidlessness
Update dependencies and fix vulnerabilities
006e272 
Addresses all current vulnerabilities, except:

- `markdown-it`, which is only used to populate `CHANGELOG.md` as HTML in the index view
- Sub-dependencies of `enketo-core` > * > `node-forge`, which will be resolved when core is updated
@eyelidlessness eyelidlessness force-pushed the prerelease/3-0-5/dependencies branch from ff013d8 to 6a33494 Compare February 9, 2022 01:28
@eyelidlessness eyelidlessness marked this pull request as ready for review February 9, 2022 01:28
@lognaturel lognaturel force-pushed the prerelease/3-0-5/dependencies branch from 6a33494 to c38c11d Compare February 9, 2022 05:21
@lognaturel lognaturel merged commit 5e298e5 into enketo:master Feb 9, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@lognaturel lognaturel lognaturel approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@eyelidlessness @MartijnR @lognaturel