Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: root libs security #2751

Merged
merged 15 commits into from
Apr 17, 2020
Merged

fix: root libs security #2751

merged 15 commits into from
Apr 17, 2020

Conversation

jsomsanith-tlnd
Copy link
Contributor

@jsomsanith-tlnd jsomsanith-tlnd commented Apr 16, 2020
edited
Loading

What is the problem this PR is trying to solve?
We have security issues on talend/ui (here only the root folder is impacted).
image

What is the chosen solution to this problem?

Direct dependencies removal

  • cpx: it's not used at root. It's still present in the packages, need to replace it with cpx2 (out of scope for now).
  • pixelmatch, pngjs, puppeteer, tmp-promise: remove along with the associated scripts (test:nonreg not used)
  • slimerjs: this was added with the visual non-regs via screenshots. This has been removed. Remove the dependency and clean associated packages
  • storybook-chroma: not used on talend/ui, consider it on talend/design-system instead
  • surge: we use it as cli only, to upload our public SB on this public repo. Remove and use it via npx.

Direct dependencies upgrade

Indirect dependencies exact resolutions

  • lodash: resolve to ^4.17.15 (compatible with all the required versions)
  • set-value: resolve to ^3.1.2 (compatible with current 3.1.1)
  • mixin-deep: resolve to ^1.3.2 (compatible with current 1.3.1)
  • acorn: resolve all 6.x to 6.4.1
  • kind-of: resolve all 6.x to 6.0.3

Indirect dependencies resolutions

  • dot-prop: resolve to ^5.2.0 (from 3.x - lerna and 4.x - lerna). Looking at their history, major version are due to node requirements >4 (from 3.x to 4.x) and >8 (from 4.x to 5.x).
  • minimist: resolve to ^1.2.5 (from 0.0.8 - lerna | 1.2.0 - lerna). History doesn't seem to have breaking changes, don't understand their release process.

After
image

Waiting for those issues/PRs to remove resolution

Please check if the PR fulfills these requirements

  • The PR commit message follows our guidelines
  • Tests for the changes have been added (for bug fixes / features) And non reg done before need review
  • Docs have been added / updated (for bug fixes / features)
  • Related design / discussions / pages (not in jira), if any, are all linked or available in the PR

[ ] This PR introduces a breaking change

@jsomsanith-tlnd jsomsanith-tlnd changed the title fix: libs security fix: root libs security Apr 16, 2020
@build-travis-ci
Copy link
Collaborator

:octocat: Demo is available here

@jsomsanith-tlnd jsomsanith-tlnd force-pushed the jsomsanith/fix/security_fixes branch from 66c89eb to c64e44c Compare April 16, 2020 14:31
@build-travis-ci
Copy link
Collaborator

:octocat: Demo is available here

@build-travis-ci
Copy link
Collaborator

:octocat: Demo is available here

@build-travis-ci
Copy link
Collaborator

:octocat: Demo is available here

1 similar comment
@build-travis-ci
Copy link
Collaborator

:octocat: Demo is available here

@build-travis-ci
Copy link
Collaborator

:octocat: Demo is available here

@build-travis-ci
Copy link
Collaborator

:octocat: Demo is available here

1 similar comment
@build-travis-ci
Copy link
Collaborator

:octocat: Demo is available here

@build-travis-ci
Copy link
Collaborator

:octocat: Demo is available here

2 similar comments
@build-travis-ci
Copy link
Collaborator

:octocat: Demo is available here

@build-travis-ci
Copy link
Collaborator

:octocat: Demo is available here

@build-travis-ci
Copy link
Collaborator

:octocat: Demo is available here

@jsomsanith-tlnd jsomsanith-tlnd merged commit e10a9e5 into master Apr 17, 2020
@jsomsanith-tlnd jsomsanith-tlnd deleted the jsomsanith/fix/security_fixes branch April 17, 2020 12:07
@jsomsanith-tlnd jsomsanith-tlnd restored the jsomsanith/fix/security_fixes branch April 17, 2020 12:33
@jsomsanith-tlnd jsomsanith-tlnd deleted the jsomsanith/fix/security_fixes branch April 17, 2020 12:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mhuchet mhuchet mhuchet approved these changes

@vbocquet vbocquet vbocquet approved these changes

@frassinier frassinier frassinier approved these changes

Assignees
No one assigned
Labels
need review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@jsomsanith-tlnd @build-travis-ci @frassinier @vbocquet @mhuchet