Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2022-37601 bump it up #2355

Merged
merged 4 commits into from
Oct 2, 2024
Merged

CVE-2022-37601 bump it up #2355

merged 4 commits into from
Oct 2, 2024

Conversation

zburke
Copy link
Member

@zburke zburke commented Oct 1, 2024
edited
Loading

There's a slew of CVEs that stem from outdated versions in yarn.lock and some cruft in package.json that should've been removed ages ago:

  • hoist-non-react-statics hasn't been necessary since we yanked out the injectIntl hoc in 2018 in PR Remove injectIntl() fork #696
  • @mdx-js/loader I think is leftover from some early storybook work but storybook builds happily without it so 🤷
  • bump .github/workflows/ui.yml from 1.1 to 1.5 to avoid trouble publishing yarn.lock when tests fail

Refs CVE-2022-37601

@zburke
CVE-2022-37601 bump it up
4bc2d8f 
There's a slew of CVEs that stem from outdated versions in `yarn.lock`
and some cruft in `package.json` that should've been removed ages ago:

* `hoist-non-react-statics` hasn't been necessary since we yanked out
  the `injectIntl` hoc in 2018 in PR #696
* `@mdx-js/loader` I think is leftover from some early storybook work
  but storybook builds happily without it so 🤷

Refs CVE-2022-37601
@zburke zburke requested a review from JohnC-80 October 1, 2024 18:17
@github-actions GitHub Actions
Copy link

github-actions bot commented Oct 1, 2024
edited
Loading

Bigtest Unit Test Results

    1 files  ±0      1 suites  ±0   14s ⏱️ ±0s
1 521 tests ±0  1 513 ✅ ±0  8 💤 ±0  0 ❌ ±0 
1 523 runs  ±0  1 515 ✅ ±0  8 💤 ±0  0 ❌ ±0 

Results for commit ebbe27f. ± Comparison against base commit 308daff.

♻️ This comment has been updated with latest results.

@JohnC-80
Copy link
Contributor

JohnC-80 commented Oct 1, 2024

stripes-core is inquiring and wants to know since it actually does use hoist-non-react-statics...

  • @mdx-js/loader I think is leftover from some early storybook work but storybook builds happily without it so 🤷

Indeed... this was all storybook.

@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Oct 2, 2024

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@zburke zburke merged commit e5e1421 into master Oct 2, 2024
25 checks passed
@zburke zburke deleted the CVE-2022-37601 branch October 2, 2024 12:14
github-actions bot pushed a commit that referenced this pull request Oct 2, 2024
@zburke @JohnC-80
CVE-2022-37601 bump it up (#2355)
f075030 
There's a slew of CVEs that stem from outdated versions in `yarn.lock`
and some cruft in `package.json` that should've been removed ages ago:

* `hoist-non-react-statics` hasn't been necessary since we yanked out
  the `injectIntl` hoc in 2018 in PR #696
* `@mdx-js/loader` I think is leftover from some early storybook work
  but storybook builds happily without it so 🤷
* bump `.github/workflows/ui.yml` from 1.1 to 1.5 to avoid trouble 
  publishing yarn.lock when tests fail

Refs CVE-2022-37601

Co-authored-by: John Coburn <jcoburn@ebsco.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JohnC-80 JohnC-80 JohnC-80 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@zburke @JohnC-80