Upgrade to Node 20, Webpack 5, npm audit fixes #147

adriancofie · 2024-01-08T15:12:32Z

Description

This ticket is to upgrade the version of node to a supported version, update webpack, and resolve any moderate or above vulnerabilities related to this repository.

This should entail the following:

Update Node to the latest LTS v20 (lts/iron)
Update Webpack to v5
Update any other required dependencies to resolve aforementioned security issues

Steps:

Node

Install and use node 20 locally

    nvm install 20
    nvm use 20

Update .nvmrc to contain lts/iron and update the allowed version ins package.json

Webpack et al.

Extract the jest config from package.json to jest.config.js
Note: This allows for more modularity and lets us have dynamic paths

Run the following:

    npm install webpack@latest --save-dev

Run the following:

	npm install —save-dev eslint-webpack-plugin  @babel/eslint-parser  @babel/plugin-proposal-private-property-in-object
	html-webpack-plugin  buffer stream-http process https-browserify url

npm uninstall eslint-loader babel-eslint

Webpack 5 does not polyfill Node.js core modules by default anymore so remove the following from the webpack config:

		node: {
		  module: 'empty',
		  dgram: 'empty',
		  dns: 'mock',
		  fs: 'empty',
		  http2: 'empty',
		  net: 'empty',
		  tls: 'empty',
		  child_process: 'empty',
		}

And add the following to the resolve key in the webpack config

				fallback: {
					"http": require.resolve("stream-http"),
					"https": require.resolve('https-browserify'),
					"buffer": require.resolve('buffer'),
					"url": require.resolve("url"),
				},

Add the following Buffer plugin to the list of plugins in the webpack config

					Buffer: ['buffer', 'Buffer'],
				})

Update the webpack hashing function from the insecure md4 to xxhash64
Add the following lineconst __webpack_base_uri__ = 'http://localhost:3000';
Update loader notation in webpack config
Usage of loader notation 'style-loader!css-loader' is deprecated and replaced with
[{loader: ‘style-loader’}, {loader: ‘css-loader’}]
Update the import statement for the ManifestPlugin to the following and update the references:

const { WebpackManifestPlugin } = require('webpack-manifest-plugin');

Add the required absoluteRuntime key to babel.config.js
Replace the deprecated babel-eslint package with @babel/eslint-parser
Replace eslint loader with eslint-webpack-plugin

Import the new plugin

const ESLintPlugin = require('eslint-webpack-plugin');

Add the plugin to the plugin list in webpack.config.js

		plugins: [
			new ESLintPlugin( {
	extensions: [`js`, `jsx`, `cjs`,`mjs`,`ts`,`tsx`],
	exclude:[  `/node_modules/`, ...paths.appExcludeFromBuild],
	cache: true,
formatter: require.resolve('react-dev-utils/eslintFormatter'),
eslintPath: require.resolve('eslint'),
resolvePluginsRelativeTo: __dirname,
ignore: true,
useEslintrc: true,}),

Update buildAxiosRequest.test.js to set the addapter type to http

	const axiosInstance = axios.create({
		timeout: 10000,
		adapter: 'http',
	});

Update App.test.js to remove the following:

axios.defaults.adapter = require('axios/lib/adapters/http');

Run the following:

    npm audit fix --force

Run the following

	npm run lint:fix

Requirements:

In the commits comment take note of which packages were updated to a new major version, and any other pertinent information or steps taken to resolve issues encountered.

Acceptance Criteria:

All major and above node/NPM vulnerabilities are resolved.
Node is at LTS v20
Webpack is at v5

The text was updated successfully, but these errors were encountered:

nvm install 18 nvm use 18 npm audit fix --force npm install webpack@latest --save-dev

Investigation only. nvm install 18 nvm use 18 npm audit fix --force npm install webpack@latest --save-dev Overrridges the the github workflow node_version to v18. (react-app-playgrounds workflow at this time is v16)

Investigation only. nvm install 18 nvm use 18 npm audit fix --force npm install webpack@latest --save-dev

Investigation only. nvm install 18 nvm use 18 npm audit fix --force npm install webpack@latest --save-dev npm run lint:fix

Investigation only nvm install 20 nvm use 20 npm audit fix --force npm install webpack@latest --save-dev

Updates node to 18, webpack to v8 and addresses security updates

Updates node to 18, webpack to v8 and addresses security updates ``` nvm install 18 nvm use 18 ``` * Updates LTS in `.nvmrc` `npm install webpack@latest --save-dev` - Updates webpack config to address CRA CommonJS bug affecting axios/nock/jest combo - Moves jest config out of package.json into own config - Adds axios to transformIgnoreModules `npm audit fix --force`

Updates node to 18, webpack to v8 and addresses security updates ``` nvm install 18 nvm use 18 ``` * Updates LTS in `.nvmrc` `npm install webpack@latest --save-dev` - Updates webpack config to address CRA CommonJS bug affecting axios/nock/jest combo facebook/create-react-app#11889 (comment) - Moves jest config out of package.json into own config - Adds axios to transformIgnoreModules `npm audit fix --force`

Updates node to 18, webpack to v8 and addresses security updates ``` nvm install 18 nvm use 18 ``` * Updates LTS in `.nvmrc` `npm install webpack@latest --save-dev` - Updates webpack config to address CRA CommonJS bug affecting axios/nock/jest combo facebook/create-react-app#11889 (comment) - Updater syntax change for IgnorePlugin in webpack config - Misc webpack config changes following migration guide: https://webpack.js.org/migrate/5/ - Moves jest config out of package.json into own config - Adds axios to transformIgnoreModules `npm audit fix --force`

Investigation only nvm install 20 nvm use 20 npm audit fix --force npm install webpack@latest --save-dev updated axios

Updates node to 18, webpack to v8 and addresses security updates ``` nvm install 18 nvm use 18 ``` * Updates LTS in `.nvmrc` `npm install webpack@latest --save-dev` - Updates webpack config to address CRA CommonJS bug affecting axios/nock/jest combo facebook/create-react-app#11889 (comment) - Updater syntax change for IgnorePlugin in webpack config - Misc webpack config changes following migration guide: https://webpack.js.org/migrate/5/ - Moves jest config out of package.json into own config - Adds axios to transformIgnoreModules `npm audit fix --force`

Updates node to 18, webpack to v8 and addresses security updates ``` nvm install 18 nvm use 18 ``` * Updates LTS in `.nvmrc` `npm install webpack@latest --save-dev` - Updates webpack config to address CRA CommonJS bug affecting axios/nock/jest combo facebook/create-react-app#11889 (comment) - Updater syntax change for IgnorePlugin in webpack config - Misc webpack config changes following migration guide: https://webpack.js.org/migrate/5/ - Moves jest config out of package.json into own config - Adds axios to transformIgnoreModules `npm audit fix --force` Eslint loader deprecated

The lint fixes for prior commit

Updates node to 18, webpack to v8 and addresses security updates ``` nvm install 18 nvm use 18 ``` * Updates LTS in `.nvmrc` `npm install webpack@latest --save-dev` - Updates webpack config to address CRA CommonJS bug affecting axios/nock/jest combo facebook/create-react-app#11889 (comment) - Updater syntax change for IgnorePlugin in webpack config - Misc webpack config changes following migration guide: https://webpack.js.org/migrate/5/ - Moves jest config out of package.json into own config - Adds axios to transformIgnoreModules `npm audit fix --force` Eslint loader deprecated (#147) Lint fixes for prior commit The lint fixes for prior commit

nvm install 20 nvm use 20 npm audit fix --force npm install webpack@latest --save-dev updated axios removed adapter: 'http' from axios-client.js

Updates node to 20, webpack to v8 and addresses security updates ``` nvm install 20 nvm use 20 ``` * Updates LTS in `.nvmrc` `npm install webpack@latest --save-dev` - Updates webpack config to address CRA CommonJS bug affecting axios/nock/jest combo facebook/create-react-app#11889 (comment) - Updater syntax change for IgnorePlugin in webpack config - Misc webpack config changes following migration guide: https://webpack.js.org/migrate/5/ - Moves jest config out of package.json into own config - Adds axios to transformIgnoreModules `npm audit fix --force`

adriancofie added the task label Jan 8, 2024

adriancofie added a commit that referenced this issue Feb 20, 2024

(#147) Update Node, Webopack, Misc security updates

761cd0d

nvm install 18 nvm use 18 npm audit fix --force npm install webpack@latest --save-dev

adriancofie added a commit that referenced this issue Feb 21, 2024

(#147) Update Node, Webpack, Misc security updates

f35247d

Investigation only. nvm install 18 nvm use 18 npm audit fix --force npm install webpack@latest --save-dev

adriancofie added a commit that referenced this issue Feb 21, 2024

(#147) Update Node, Webpack, Misc security updates

11b8bbf

Investigation only. nvm install 18 nvm use 18 npm audit fix --force npm install webpack@latest --save-dev npm run lint:fix

sarinapadilla added this to the O&M Sprint 1 milestone Feb 27, 2024

belaolsonNIH added a commit that referenced this issue Feb 28, 2024

(#147) Update Node, Webpack, & other security vulnerabilities

01b6935

Investigation only nvm install 20 nvm use 20 npm audit fix --force npm install webpack@latest --save-dev

belaolsonNIH added a commit that referenced this issue Feb 28, 2024

(#147) Update Node, Webpack, & other security vulnerabilities

cc6d1fb

Investigation only nvm install 20 nvm use 20 npm audit fix --force npm install webpack@latest --save-dev

adriancofie added a commit that referenced this issue Mar 1, 2024

(#147) Update Node, Webpack, Misc security updates

a234d26

Updates node to 18, webpack to v8 and addresses security updates

adriancofie added a commit that referenced this issue Mar 1, 2024

(#147) Update Node, Webpack, Misc security updates

9b4a6f5

Updates node to 18, webpack to v8 and addresses security updates

belaolsonNIH added a commit that referenced this issue Mar 5, 2024

(#147) Update Node, Webpack, & other security vulnerabilities

a737854

Investigation only nvm install 20 nvm use 20 npm audit fix --force npm install webpack@latest --save-dev updated axios

adriancofie added a commit that referenced this issue Mar 8, 2024

(#147) Lint fixes for prior commit

8dc220f

The lint fixes for prior commit

adriancofie added a commit that referenced this issue Mar 8, 2024

(#147) Lint fixes for prior commit

9279c8c

The lint fixes for prior commit

adriancofie mentioned this issue Mar 11, 2024

(#147) Upgrade to Node 18, Webpack 5, npm audit fixes #151

Closed

adriancofie changed the title ~~Run npm audit fix and resolve remaining moderate or above vulnerabilities~~ Upgrade to Node 18, Webpack 5, npm audit fixes (#102) Mar 11, 2024

adriancofie changed the title ~~Upgrade to Node 18, Webpack 5, npm audit fixes (#102)~~ Upgrade to Node 18, Webpack 5, npm audit fixes Mar 11, 2024

adriancofie changed the title ~~Upgrade to Node 18, Webpack 5, npm audit fixes~~ Upgrade to Node 20, Webpack 5, npm audit fixes Mar 11, 2024

belaolsonNIH added a commit that referenced this issue Mar 20, 2024

(#147) Update Node, Webpack, & other security vulnerabilities

47e86f7

nvm install 20 nvm use 20 npm audit fix --force npm install webpack@latest --save-dev updated axios removed adapter: 'http' from axios-client.js

sarinapadilla removed this from the Iteration 1 milestone Sep 26, 2024

adriancofie mentioned this issue Oct 22, 2024

(#147) Update Node, Webpack, Misc security updates #155

Merged

sarinapadilla added this to the Filtering Iteration 3 milestone Oct 24, 2024

welshja assigned adriancofie Nov 7, 2024

adriancofie closed this as completed in #155 Nov 26, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Upgrade to Node 20, Webpack 5, npm audit fixes #147

Upgrade to Node 20, Webpack 5, npm audit fixes #147

adriancofie commented Jan 8, 2024 •

edited

Loading

Upgrade to Node 20, Webpack 5, npm audit fixes #147

Upgrade to Node 20, Webpack 5, npm audit fixes #147

Comments

adriancofie commented Jan 8, 2024 • edited Loading

Description

Steps:

Node

Webpack et al.

Requirements:

Acceptance Criteria:

adriancofie commented Jan 8, 2024 •

edited

Loading