Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update vulnerable dependencies #892

Merged
merged 1 commit into from
Jan 14, 2019
Merged

Update vulnerable dependencies #892

merged 1 commit into from
Jan 14, 2019

Conversation

ScottRudiger
Copy link
Contributor

This patches 7 vulnerabilities in the package's dependencies; most notably:

  • handlebars (dep of jsdoc-to-markdown)
  • mime (dep of @auth0/component-cdn-uploader)

The others were low severity such as Prototype Pollution.

To catch these more easily going forward, I'd recommend the following:

  • 📦 Switch to npm, which catches these vulnerabilities on install and make use of its excellent npm audit feature.

  • 🤖 Consider automating dependency updates (Renovate or Greenkeeper). I prefer Renovate as I'm just more familiar with it.

I'd be happy to help with either of these if desired. 👍

@luisrudge luisrudge merged commit 8381e4b into auth0:master Jan 14, 2019
@luisrudge
Copy link
Contributor

Thanks! We've been thinking about automating our dependency management, but never got around to actually do it. What's your experience with both services?

@ScottRudiger
Copy link
Contributor Author

I haven't actually used Greenkeeper, but read up on it before choosing Renovate. Greenkeeper seems like a fine service if you plan to review each and every pull request for a dependency update (major/minor/patch). However, Renovate is highly configurable.

For instance, you could set it to open PRs on a schedule to reduce "noise;" e.g., every weekend or after 6pm on friday (I noticed Auth0 employees tend to not work on weekends, which is great! 👍).

There's an automerge feature as well, which you could set to go ahead and merge patch and minor updates as long as tests pass, while allowing a manual review for major updates.

The author seems open to feature requests as well if there's something extra Auth0 might need in the future. For example, I'm working with him to add a feature that adds a tag after a PR merge (I've been meaning to go back and help some more with that).

Painless Dependency Upgrades with Renovate App is a good start for a comparison.

@luisrudge
Copy link
Contributor

That's great. Let's go with renovate then, but let's keep automerge disabled for now. Can you send a PR with the configuration file to kick things off?

@ScottRudiger
Copy link
Contributor Author

Will do! 👍

@ScottRudiger ScottRudiger mentioned this pull request Jan 16, 2019
Closed
luisrudge added a commit that referenced this pull request Jan 21, 2019
@luisrudge
Revert "Update vulnerable dependencies (#892)"
8915e5f 
This reverts commit 8381e4b.
luisrudge added a commit that referenced this pull request Jan 21, 2019
@luisrudge
Revert "Don't use storage when inside the Universal Login Page" (#898)
7af18ee 
* Revert "Add `test:coverage` npm script to check coverage locally (#891)"

This reverts commit 14656e3.

* Revert "Update vulnerable dependencies (#892)"

This reverts commit 8381e4b.

* Revert "Release 9.9.0 (#890)"

This reverts commit 535484f.

* Revert "Don't use storage when inside the UNiversal Login Page (#889)"

This reverts commit 9b2a98f.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@luisrudge luisrudge luisrudge approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ScottRudiger @luisrudge