Skip to content
This repository has been archived by the owner on May 3, 2024. It is now read-only.

chore(deps): update all the things #1327

Merged
merged 36 commits into from
Mar 20, 2024
Merged

chore(deps): update all the things #1327

merged 36 commits into from
Mar 20, 2024

Conversation

10xLaCroixDrinker
Copy link
Member

@10xLaCroixDrinker 10xLaCroixDrinker commented Mar 14, 2024
edited
Loading

This PR looks a lot bigger thant it really is. The vast majority of files changed were just eslint update related, and most of those were authomatic with --fix. While over 170 files have changed, less than 30 JS files have any changes that are not just from eslint. For all the files that are changed for other reasons, I explain each below. However, the bulk of this PR's impact is in package.json & package-lock.json. Every dependency that could be updated has been. Some dependencies have been removed because they were not used or were not necessary.

Dependency Changes

Total count & node_modules size

Before: 2389 (950MB)

After: 1995 (447MB)

Deprecation warnings

Before: 22 warnings

complete log 
npm WARN deprecated @npmcli/move-file@1.1.2: This functionality has been moved to @npmcli/fs
npm WARN deprecated stringify-package@1.0.1: This module is not used anymore, and has been replaced by @npmcli/package-json
npm WARN deprecated stable@0.1.8: Modern JS already guarantees Array#sort() is a stable sort, so this library is deprecated. See the compatibility table on MDN: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/sort#browser_compatibility
npm WARN deprecated source-map-url@0.4.1: See https://github.com/lydell/source-map-url#deprecated
npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated trim@0.0.1: Use String.prototype.trim() instead
npm WARN deprecated rollup-plugin-terser@7.0.2: This package has been deprecated and is no longer maintained. Please use @rollup/plugin-terser
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated source-map-resolve@0.5.3: See https://github.com/lydell/source-map-resolve#deprecated
npm WARN deprecated w3c-hr-time@1.0.2: Use your platform's native performance.now() and performance.timeOrigin.
npm WARN deprecated sourcemap-codec@1.4.8: Please use @jridgewell/sourcemap-codec instead
npm WARN deprecated @gitbeaker/node@35.8.1: Please use its successor @gitbeaker/rest
npm WARN deprecated url-search-params@0.10.2: now available as @ungap/url-search-params
npm WARN deprecated eslint-loader@4.0.2: This loader has been deprecated. Please use eslint-webpack-plugin
npm WARN deprecated fsevents@1.2.13: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2.
npm WARN deprecated chokidar@2.1.8: Chokidar 2 does not receive security updates since 2019. Upgrade to chokidar 3 with 15x fewer dependencies
npm WARN deprecated querystring@0.2.0: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm WARN deprecated babel-eslint@10.1.0: babel-eslint is now @babel/eslint-parser. This package will no longer receive updates.
npm WARN deprecated rollup-plugin-babel@4.4.0: This package has been deprecated and is no longer maintained. Please use @rollup/plugin-babel.
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated core-js@2.6.12: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.
npm WARN deprecated core-js@2.6.12: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.

After: 16 warnings

complete log 
npm WARN deprecated @npmcli/move-file@1.1.2: This functionality has been moved to @npmcli/fs
npm WARN deprecated stringify-package@1.0.1: This module is not used anymore, and has been replaced by @npmcli/package-json
npm WARN deprecated source-map-url@0.4.1: See https://github.com/lydell/source-map-url#deprecated
npm WARN deprecated @babel/plugin-proposal-class-properties@7.18.6: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-class-properties instead.
npm WARN deprecated figgy-pudding@3.5.2: This module is no longer supported.
npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated abab@2.0.6: Use your platform's native atob() and btoa() methods instead
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated source-map-resolve@0.5.3: See https://github.com/lydell/source-map-resolve#deprecated
npm WARN deprecated w3c-hr-time@1.0.2: Use your platform's native performance.now() and performance.timeOrigin.
npm WARN deprecated domexception@4.0.0: Use your platform's native DOMException instead
npm WARN deprecated @gitbeaker/node@35.8.1: Please use its successor @gitbeaker/rest
npm WARN deprecated url-search-params@0.10.2: now available as @ungap/url-search-params
npm WARN deprecated fsevents@1.2.13: The v1 package contains DANGEROUS / INSECURE binaries. Upgrade to safe fsevents v2
npm WARN deprecated chokidar@2.1.8: Chokidar 2 does not receive security updates since 2019. Upgrade to chokidar 3 with 15x fewer dependencies
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.

Vulnerabilities

Before: 20 vulnerabilities (9 moderate, 11 high)

After: 6 high severity vulnerabilities

Updated

Dependency Version in main Updated On Latest
@americanexpress/one-app-bundler 6.21.5 N/A* ✅ Yes*
@americanexpress/one-app-server-bundler N/A* 1.0.2 ✅ Yes
@babel/cli 7.21.0 7.23.9 ✅ Yes
@babel/core 7.22.15 7.24.0 ✅ Yes
@commitlint/cli 18.6.0 19.2.0 ✅ Yes
@commitlint/config-conventional 17.7.0 19.1.0 ✅ Yes
@fastify/compress 6.4.0 7.0.0 ✅ Yes
@fastify/cookie 9.3.1 9.3.1 ✅ Yes
@fastify/cors 8.4.0 9.0.1 ✅ Yes
@fastify/static 6.12.0 7.0.1 ✅ Yes
@rollup/plugin-node-resolve 15.1.0 15.2.3 ✅ Yes
@rollup/plugin-replace 4.0.0 5.0.5 ✅ Yes
@rollup/plugin-terser N/A* 0.4.4 ✅ Yes
chokidar 3.5.3 3.6.0 ✅ Yes
core-js 3.35.0 3.36.0 ✅ Yes
eslint-config-amex 14.2.1 16.0.0 ✅ Yes
eslint-plugin-jest-dom 3.9.4 4.0.3 🚫 No (5.1.0)
eslint-plugin-jest 24.7.0 27.9.0 ✅ Yes
eslint 7.32.0 8.57.0 ✅ Yes
fastify-metrics 10.6.0 11.0.0 ✅ Yes
fastify 4.25.2 4.26.2 ✅ Yes
holocron-module-route 1.7.0 1.10.2 ✅ Yes
holocron 1.9.2 1.10.2 ✅ Yes
husky 8.0.3 9.0.11 ✅ Yes
immutable 4.2.4 4.3.5 ✅ Yes
joi 17.8.3 17.12.2 ✅ Yes
lockfile-lint 4.12.1 4.13.2 ✅ Yes
node-mocks-http 1.12.1 1.14.1 ✅ Yes
prettier 2.8.4 2.8.8 🚫 No (3.2.5)
regenerator-runtime 0.13.11 0.14.1 ✅ Yes
reselect 4.1.7 4.1.8 🚫 No (5.1.0)
rollup-plugin-terser 7.0.2 N/A* ✅ Yes*
rollup 2.79.1 4.13.0 ✅ Yes
semver 7.5.4 7.6.0 ✅ Yes
tar 6.1.15 6.2.0 ✅ Yes
uuid 9.0.0 9.0.1 ✅ Yes
webdriverio 7.34.0 7.36.0 🚫 No (8.34.0)
wildcard-match 5.1.2 5.1.3 ✅ Yes

*package was renamed

Removed (unused)

Dependency Version in main
@babel/node 7.20.7
@babel/register 7.23.7
babel-eslint 10.1.0
body-parser 1.20.2
cors 2.8.5
helmet 7.0.0
find-up 5.0.0
react-test-renderer 17.0.2
rollup-plugin-babel 4.4.0
supertest 6.3.3

None of these were in use.

Removed (refactored)

Dependency Version in main Replaced with
fs-extra 11.2.0 node:fs
https-proxy-agent 5.0.1 proxy-agent
if-env 1.0.4 (POSIX conditional)
lodash.set 4.3.2 (Function)
mkdirp 2.1.5 node:fs
node-fetch 2.6.12 (global fetch)
rimraf 5.0.5 node:fs
  • lodash.set was marked vulnerable by dependabot
  • proxy-agent is an existing dependency that implements https-proxy-agent
  • cross-fetch already adds node-fetch to the global scope

Unchanged

Dependency Version On Latest
@americanexpress/env-config-utils 2.0.4 ✅ Yes
@americanexpress/fetch-enhancers 1.1.5 ✅ Yes
@americanexpress/one-app-dev-proxy 2.0.0 ✅ Yes
@americanexpress/one-app-ducks 4.4.4 🚫 No (4.5.0)
@americanexpress/one-app-router 1.2.1 ✅ Yes
@americanexpress/one-service-worker 1.0.4 ✅ Yes
@americanexpress/vitruvius 3.0.1 ✅ Yes
@autotelic/fastify-opentelemetry 0.20.0 ✅ Yes
@fastify/formbody 7.4.0 ✅ Yes
@fastify/helmet 11.1.1 ✅ Yes
@fastify/rate-limit 9.1.0 ✅ Yes
@fastify/sensible 5.5.0 ✅ Yes
@opentelemetry/api-logs 0.49.1 ✅ Yes
@opentelemetry/api 1.8.0 ✅ Yes
@opentelemetry/core 1.22.0 ✅ Yes
@opentelemetry/exporter-trace-otlp-grpc 0.49.1 ✅ Yes
@opentelemetry/instrumentation-http 0.49.1 ✅ Yes
@opentelemetry/instrumentation-pino 0.36.0 ✅ Yes
@opentelemetry/instrumentation 0.49.1 ✅ Yes
@opentelemetry/resources 1.22.0 ✅ Yes
@opentelemetry/sdk-trace-base 1.22.0 ✅ Yes
@opentelemetry/sdk-trace-node 1.22.0 ✅ Yes
@opentelemetry/semantic-conventions 1.22.0 ✅ Yes
@rollup/plugin-babel 6.0.4 ✅ Yes
abort-controller 3.0.0 ✅ Yes
accepts 1.3.8 ✅ Yes
amex-jest-preset 7.0.0 ✅ Yes
babel-preset-amex 4.0.3 ✅ Yes
bytes 3.1.2 ✅ Yes
cacheable-lookup 6.1.0 🚫 No (7.0.0)
chalk 4.1.2 🚫 No (5.3.0)
concurrently 8.2.2 ✅ Yes
conventional-changelog-cli 2.2.2 🚫 No (4.1.0)
create-shared-react-context 1.0.5 ✅ Yes
cross-env 7.0.3 ✅ Yes
cross-fetch 4.0.0 ✅ Yes
danger 11.3.1 ✅ Yes
deepmerge 4.3.1 ✅ Yes
eslint-plugin-es 4.1.0 ✅ Yes
expect 29.7.0 ✅ Yes
fastify-plugin 4.5.1 ✅ Yes
flat 5.0.2 🚫 No (6.0.1)
jest-circus 29.7.0 ✅ Yes
jest-environment-jsdom 28.1.3 🚫 No (29.7.0)
jest 29.7.0 ✅ Yes
js-yaml 4.1.0 ✅ Yes
lean-intl 4.2.2 ✅ Yes
matcher 4.0.0 🚫 No (5.0.0)
nodemon 3.1.0 ✅ Yes
object-hash 3.0.0 ✅ Yes
on-finished 2.4.1 ✅ Yes
opossum-prometheus 0.3.0 ✅ Yes
opossum 8.1.3 ✅ Yes
parse-prometheus-text-format 1.1.1 ✅ Yes
pidusage 3.0.2 ✅ Yes
pino-opentelemetry-transport 0.6.0 ✅ Yes
pino-pretty 10.3.1 ✅ Yes
pino 8.19.0 ✅ Yes
prom-client 15.1.0 ✅ Yes
prop-types 15.8.1 ✅ Yes
proxy-agent 6.4.0 ✅ Yes
react-dom 17.0.2 🚫 No (18.2.0)
react-helmet 6.1.0 ✅ Yes
react-redux 7.2.9 🚫 No (9.1.0)
react 17.0.2 🚫 No (18.2.0)
redux-lifesaver 2.1.0 ✅ Yes
redux 4.2.1 🚫 No (5.0.1)
serialize-error 8.1.0 🚫 No (11.0.0)
service-worker-mock 2.0.5 ✅ Yes
standard-version 9.5.0 ✅ Yes
striptags 3.2.0 ✅ Yes
thread-stream 2.4.1 ✅ Yes
transit-immutable-js 0.8.0 ✅ Yes
transit-js 0.8.874 ✅ Yes
url-polyfill 1.1.12 ✅ Yes
yargs 17.7.2 ✅ Yes

Why not latest?

Dependency Version in main Updated Latest Reason
@americanexpress/one-app-ducks 4.4.4 N/A 4.5.0 🐛 bug
cacheable-lookup 6.1.0 N/A 7.0.0 📦 ESM
chalk 4.1.2 N/A 5.3.0 📦 ESM
conventional-changelog-cli 2.2.2 N/A 4.1.0 🔗 standard-version
eslint-plugin-jest-dom 3.9.4 4.0.3 5.1.0 🔗 eslint-config-amex
flat 5.0.2 N/A 6.0.1 📦 ESM
jest-environment-jsdom 28.1.3 N/A 29.7.0 🐛 bug
matcher 4.0.0 N/A 5.0.0 📦 ESM
prettier 2.8.4 2.8.8 3.2.5 🔗 eslint-config-amex
react-dom 17.0.2 N/A 18.2.0 💥 breaking
react-redux 7.2.9 N/A 9.1.0 💥 breaking
react 17.0.2 N/A 18.2.0 💥 breaking
redux 4.2.1 N/A 5.0.1 💥 breaking
reselect 4.1.7 4.1.8 5.1.0 💥 breaking
serialize-error 8.1.0 N/A 11.0.0 📦 ESM
webdriverio 7.34.0 7.36.0 8.34.0 📦 ESM
  • 🐛 bug: there is a bug in this package for which a fix has not been released
  • 🔗 [peer]: the version of this package is limited by a peerDependency requirement or other dependency conflict
  • 📦 ESM: this package is now ESM only
  • 💥 breaking: adopting this update would be a breaking change for our users, requiring a MAJOR release

Each of these have been updated to the latest available/compatible version

npm scripts changes

  • clean:build & clean:test: replaced rimraf with new npm script that uses node:fs
  • test:danger: replaced if-env with POSIX conditional
  • prepare: updated husky command for husky@9

File changes

These are all of the JS file changes that are not a direct result of the eslint update

  • replace fs-extra/mkdirp/rimraf with node:fs
    • __tests__/integration/helpers/moduleDeployments.js
    • __tests__/integration/helpers/moduleMap.js
    • __tests__/server/utils/devCdnFactory.spec.js
    • scripts/build-one-app-docker-setup.js
    • scripts/build-sample-modules.js
    • scripts/build-static-assets-artifact.js
    • scripts/deploy-prod-sample-module.js
    • scripts/utils.js
    • scripts/set-dev-endpoints.js
  • use global fetch instead of importing
    • __tests__/server/utils/devCdnFactory.spec.js
    • src/server/utils/devCdnFactory.js
  • removed unused jest mocks
    • __mocks__
    • __tests__/server/utils/createCircuitBreaker.spec.js
    • src/server/metrics/__mocks__
    • src/server/utils/__mocks__/readJsonFile.js
  • use jest.isolatedModules instead of jest.resetModules
    • __tests__/server/config/env/runTime.spec.js
    • __tests__/server/utils/heapdump.spec.js
    • __tests__/server/utils/stateConfig.spec.js
  • spy instead of mocking
    • __tests__/server/utils/heapdump.spec.js
    • __tests__/server/utils/cdnCache.spec.js
    • __tests__/server/utils/watchLocalModules.spec.js
  • import from one-app-server-bundler instead of one-app-bundler
    • __tests__/server/utils/onModuleLoad.spec.jsx
    • src/server/utils/onModuleLoad.js
  • replace https-proxy-agent with proxy-agent
    • __tests__/integration/helpers/fetchOptions.js
  • updates for husky@9
    • .github
    • .husky
  • updated for changes in rollup API
    • scripts/build-service-workers.js
  • replace vulnerable lodash.set with new function, inline getObjectValueAtPath that was in src but only used in test and delete the tests for that src file
    • __tests__/client/badPartMonkeypatches.spec.js
    • __tests__/server/utils/getObjectValueAtPath.spec.js
    • src/server/utils/getObjectValueAtPath.js

Types of Changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation (adding or updating documentation)
  • Dependency update
  • Security update

Checklist:

  • My change requires a change to the documentation and I have updated the documentation accordingly.
  • These changes should be applied to a maintenance branch.
  • This change requires cross browser checks.
  • Performance tests should be ran against the server prior to merging.
  • This change impacts caching for client browsers.
  • This change impacts HTTP headers.
  • This change adds additional environment variable requirements for One App users.
  • I have added the Apache 2.0 license header to any new files created.

What is the Impact to Developers Using One App?

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Mar 14, 2024
edited
Loading

Size Change: +15.6 kB (+2%)

Total Size: 735 kB

Filename Size Change
./build/app/app.js 187 kB +15.6 kB (+9%) 🔍
./build/app/app~vendors.js 411 kB -274 B (0%)
./build/app/vendors.js 123 kB +240 B (0%)
ℹ️ View Unchanged
Filename Size
./build/app/runtime.js 7.07 kB
./build/app/service-worker-client.js 7.25 kB

compressed-size-action

@10xLaCroixDrinker 10xLaCroixDrinker force-pushed the feature/update-all-the-things-v2 branch 2 times, most recently from 0366fe8 to f786cfa Compare March 14, 2024 20:58
@10xLaCroixDrinker
chore(deps): @fastify/compress@6.5.0
9a6a39d
@10xLaCroixDrinker
chore(deps): @fastify/cors@8.5.0
2f1e612
@10xLaCroixDrinker
chore(deps): fastify@4.26.2
1adf3b9
@10xLaCroixDrinker
chore(deps): immutable@4.3.5
042f56d
@10xLaCroixDrinker
chore(deps): holocron@1.10.2
5de44c8
@10xLaCroixDrinker
chore(deps): holocron-module-route@1.10.2
78d3460
@10xLaCroixDrinker
chore(deps): reselect@4.1.8
429d04a
@10xLaCroixDrinker
chore(deps): joi@17.12.2
d81ba46
@10xLaCroixDrinker
chore(dev-deps): remove lodash.set
9452f68
@10xLaCroixDrinker
chore(deps): uuid@9.0.1 & wildcard-match@5.1.3
11d1fb7
@10xLaCroixDrinker
chore(deps): one-app-ducks@4.5.0
a2b48cd
@10xLaCroixDrinker
Revert "chore(deps): one-app-ducks@4.5.0"
77871be 
This reverts commit a2b48cd.
@10xLaCroixDrinker
chore(deps-dev): remove mkdirp & rimraf
187ec32
@10xLaCroixDrinker
chore(deps): core-js@3.36.0
a2b5526
@10xLaCroixDrinker
chore(deps-dev): remove fs-extra
c70e0c8
@10xLaCroixDrinker
chore(deps): @fastify/compress@7.0.0
5000836
@10xLaCroixDrinker
chore(deps): @fastify/cors@9.0.1
4f5335c
@10xLaCroixDrinker
chore(deps): @fastify/static@7.0.1
7865018
@10xLaCroixDrinker
chore(deps-dev): remove node-fetch
c97d9a9
@10xLaCroixDrinker
chore(deps): fastify-metrics@11.0.0
a52e827
@10xLaCroixDrinker
chore(deps-dev): remove https-proxy
779a660
@10xLaCroixDrinker
chore(deps-dev): @commitlint/cli@19.2.0 & @commitlint/config-conventi…
974af99 
…onal@19.1.0
@10xLaCroixDrinker
chore(deps): move to @americanexpress/one-app-server-bundler
426d651
@10xLaCroixDrinker 10xLaCroixDrinker changed the title chore(deps): update all the things / round 2 chore(deps): update all the things Mar 15, 2024
@10xLaCroixDrinker 10xLaCroixDrinker marked this pull request as ready for review March 16, 2024 22:00
@10xLaCroixDrinker 10xLaCroixDrinker requested review from a team as code owners March 16, 2024 22:00
@Matthew-Mallimo Matthew-Mallimo requested a review from a team March 20, 2024 00:38
@10xLaCroixDrinker 10xLaCroixDrinker merged commit e04d9b3 into main Mar 20, 2024
9 checks passed
@10xLaCroixDrinker 10xLaCroixDrinker deleted the feature/update-all-the-things-v2 branch March 20, 2024 14:33
@10xLaCroixDrinker 10xLaCroixDrinker mentioned this pull request Mar 25, 2024
Merged
14 tasks
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@Matthew-Mallimo Matthew-Mallimo Matthew-Mallimo approved these changes

@guym4c guym4c guym4c approved these changes

Assignees
No one assigned
Labels
Feature one-app-team-review-requested
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@10xLaCroixDrinker @guym4c @Matthew-Mallimo