Upgrade JS dependencies #1514
Upgrade JS dependencies #1514
Conversation
ahangarha
force-pushed
the
fix-js-vulnerabilities
branch
4 times, most recently
from
381acaa
to
a019f7e
Compare
CHANGELOG.md
Outdated
| @@ -17,6 +17,9 @@ Changes since last non-beta release. | |||
|
|
|||
| *Please add entries here for your pull requests that are not yet released.* | |||
|
|
|||
| ### Fixed | |||
| - Upgrade several JS dependencies to knows security issues. [PR 1514](https://github.com/shakacode/react_on_rails/pull/1514) by [ahangarha](https://github.com/ahangarha) | |||
There was a problem hiding this comment.
Upgrade several JS dependencies to fix security issues.
There was a problem hiding this comment.
My bad! Editing several times and finally pushing a wrong sentence! 😞
Fixed ✅
package.json
Outdated
| @@ -53,6 +54,9 @@ | |||
| "react": ">= 16", | |||
| "react-dom": ">= 16" | |||
| }, | |||
| "resolutions": { | |||
| "ansi-regex": "^3.0.1" | |||
There was a problem hiding this comment.
why is this needed?
should be documented in the PR
There was a problem hiding this comment.
I explained in its own commit:
This is a temporary fix due to complexities of upgrading eslint and
other relevant dependencies (namely prettier-eslint-cli) to newer
versions.
Maybe I had to bring it to the PR body as well.
Since we had a kind of urgency in resolving high/critical vulnerabilities, I did a tradeoff and chose to use this approach for this particular package rather than spending hours or days to fix issues with upgrading prettier-eslint-cli, which required upgrading eslint and make modifications in our source code to address the breaking changes.
| "react": "^16.5.2", | ||
| "react-dom": "^16.5.2", | ||
| "prop-types": "^15.8.1", | ||
| "react": "^16.14.0", |
There was a problem hiding this comment.
Why is react not upgraded to 17 at least?
There was a problem hiding this comment.
There was no security issue with React. For such dependencies, I only pushed all minor versions. I thought it might be a development decision to use which version of React.
ahangarha
force-pushed
the
fix-js-vulnerabilities
branch
from
106c21f
to
4b0dfdf
Compare
This is a temporary fix due to complexities of upgrading eslint and other relevant dependencies (namely prettier-eslint-cli) to newer versions.
ahangarha
force-pushed
the
fix-js-vulnerabilities
branch
from
4b0dfdf
to
18b93e2
Compare
In this PR, I have updated our JS dependencies to address several known security vulnerabilities. Amoung them and due to our urgency I resolved the issues with
ansi-regexusingresolutionsentry inyarn.lock. This is a temporary fix due to complexities of upgrading eslint and other relevant dependencies (namely prettier-eslint-cli) to newer versions.This change is