Skip to content

feature: Fix critical warning dependencies (M2-7989) #1969

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
andrevitalb merged 3 commits into from
Nov 19, 2024
Merged

feature: Fix critical warning dependencies (M2-7989) #1969

andrevitalb merged 3 commits into from
Nov 19, 2024

Conversation

@andrevitalb
Copy link
Contributor

@andrevitalb andrevitalb commented Oct 31, 2024
edited
Loading

📝 Description

🔗 Jira Ticket M2-7988

Two critical alerts for the repo appeared due to external dependencies. Both were overridden to import the latest patched versions.

✏️ Notes

Removing the node_modules/ folder and running npm install is required. Once this step is taken, no more critical alerts should show up.

@andrevitalb
Copy link
Contributor Author

andrevitalb commented Oct 31, 2024

A more detailed explanation of the findings can be found here:

crypto-js

  • Current Version: 4.1.1 (react-secure-storage sub-dependency)
  • Target Vesrsion: 4.2.0+
  • Usage Locations:
    • useRemoveAppletData.ts
    • useRemoveAppletData.test.ts
    • Language.tsx
    • useReturnToLibraryPath.ts
    • useReturnToLibraryPath.test.ts
    • navigateToLibrary.ts
    • navigateToLibrary.test.ts
  • Risk Assessment: Low
  • Testing Areas:
    • Local storage encryption/decription

Temporary solution

  • Implemented package override to force crypto-js@4.2.0.
  • This solution will need to be monitored and removed once react-secure-storage updates their dependency.

Testing Requirements

  • Focus on login functionality
  • Test local storage options
  • Verify encrypted data can still be decrypted

Long term solution

  • A PR updating the library's dependency was added here. After that PR is merged, react-secure-storage can be updated for the project and the temporary solution, reverted.

@babel/traverse

  • Current Version: ^7.19.0, 7.7.2
  • Target Version: 7.23.2+
  • Usage Locations:
    • Build configuration
  • Risk Assessment: Low
  • Testing Areas:
    • Build process
    • General application functionality

Implementation Details

  • Added package override for @babel/traverse to enforce version 7.23.2+
  • Package is a transitive dependency through build tools (react-app-rewired)
  • No direct usage in project code
  • No changes needed in config-overrides.js

Verification Steps

  1. Confirmed override is working: npm list @babel/traverse
  2. Tested build process:
    • Development server: npm start
    • Production build: npm run build
    • Test suite: npm run test:nowatch

Risk Assessment

  • Low risk: Build-time dependency only
  • No runtime impact
  • Protected by package override

@andrevitalb andrevitalb requested a review from ChaconC October 31, 2024 17:29
@aws-amplify-us-east-1
Copy link

aws-amplify-us-east-1 bot commented Oct 31, 2024

This pull request is automatically being deployed by Amplify Hosting (learn more).

Access this pull request here: https://pr-1969.d19gtpld8yi51u.amplifyapp.com

@andrevitalb andrevitalb merged commit 797cccb into develop Nov 19, 2024
@andrevitalb andrevitalb deleted the feature/M2-7988-update-dependencies branch November 19, 2024 21:03
@ramirlm ramirlm changed the title feature: Fix critical warning dependencies (M2-7988) feature: Fix critical warning dependencies (M2-7989) Dec 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@ChaconC ChaconC ChaconC approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@andrevitalb @ChaconC