chore: Upgrade packages to fix vulnerabilities #531
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
anicholls
force-pushed
the
fix-vulnerability
branch
4 times, most recently
from
a102cc5
to
76479e3
Compare
anicholls
changed the title
anicholls
force-pushed
the
fix-vulnerability
branch
from
76479e3
to
6d56383
Compare
|
Test summary
Run details
View run in Cypress Dashboard ➡️ This comment has been generated by cypress-bot as a result of this project's GitHub integration settings. You can manage this integration in this project's settings in the Cypress Dashboard |
anicholls
force-pushed
the
fix-vulnerability
branch
2 times, most recently
from
b478c9a
to
cb4d967
Compare
mannycarrera4
approved these changes
Apr 15, 2020
lychyi
reviewed
Apr 15, 2020
NicholasBoll
approved these changes
Apr 15, 2020
* Add unit tests
* Add Cypress specifications
* Add visual tests
* Upgrade Popper to v2 and use canvas-kit Popper component instead of materia-ui's
This change makes it easier to create accessible tooltips. It is now possible to do this:
```tsx
<Tooltip title="Close">
<IconButton variant={IconButton.Variant.Circle} icon={xIcon} aria-label="Close" />
</Tooltip>
```
BREAKING CHANGE: Tooltip API was updated to make it easier to consume.
The original `Tooltip` did little more than add a `role="tooltip"` to a styled component. The original tooltip is now exported as `TooltipContainer` to make it easier to migrate without rewriting all tooltips. Imports will have to be updated to use the old API:
**Before:**
```ts
import { Tooltip } from '@workday/canvas-kit-react-tooltip'
```
**After:**
```ts
import { TooltipContainer as Tooltip } from '@workday/canvas-kit-react-tooltip'
```
Also with this change, the tooltip no longer gets the role `tooltip` and must be added manually.
BREAKING CHANGE: `Popper` was changed to a Functional Component with a forwarded ref. If you passed a `ref` object to `Popper` before, it will now point to the element rather than the `Popper` instance.
anicholls
force-pushed
the
fix-vulnerability
branch
from
6ade3de
to
9fa55a0
Compare
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Upgrade packages to address vulnerabilities in:
minimist(must be >= 0.2.1 or 1.2.3)acorn(must be >= 6.4.1)kind-of(must be >= 6.0.03)Closes #542
There are a few packages that are still yet to be updated:
commitizen>minimist(chore(deps): bump minimist from 1.2.0 to 1.2.3 commitizen/cz-cli#721)http-server>optimist>minimist(Replace optimist with minimist http-party/http-server#614)I needed to use a resolution for
minimistandacornsince these two don't look like they're getting much movement. We're now getting some yarn warnings, but I don't think anything is breaking and it's better than a vulnerability.I removed
react-scriptsbecause we've wanted it gone for a while (#542) and it was usingacorn.For the
minimistresolution, we're waiting on a new release fromcommitizen, and I'm not sure what's going to happen forhttp-serverNote for future reference: For some reason upgrading
rollup-plugin-terserwas giving us problems with storybook in IE11. It was causing us to emit dynamic imports (not supported in IE) for@storybook/addons-storysource. I'm very confused as to why, since rollup is only used in js-build (used for one css component) and has nothing to do with webpack. It's not affected by these vulnerabilities so I've reverted the upgrade. Hopefully we don't run into this again 🤷♂️