Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dependency update #4647

Closed
wants to merge 5 commits into from
Closed

Dependency update #4647

wants to merge 5 commits into from

Conversation

Saibamen
Copy link
Contributor

@Saibamen Saibamen commented Apr 3, 2024

Tick the checkbox if you understand [x]:

  • I have read and understand the pull request rules.

Description

Fix vulnerabilities + update already installed versions in package.json (ncu --target patch -u - see commit 1c0280f and ncu --target semver -u 7c07f97)

Type of change

  • Bug fix (non-breaking change which fixes an issue)

Checklist

  • My code follows the style guidelines of this project
  • I ran ESLint and other linters for modified files
  • I have performed a self-review of my own code and tested it
  • I have commented my code, particularly in hard-to-understand areas (including JSDoc for methods)
  • My changes generates no new warnings
  • My code needed automated testing. I have added them (this is optional task)

Screenshots (if any)

Before

image

After

image

@Saibamen
Copy link
Contributor Author

Saibamen commented Apr 3, 2024

npm audit report:

express  <4.19.2
Severity: moderate

*Currently used version in this PR*: 4.17.3

hoek  *
Severity: high

nodemailer  <=6.9.8
Severity: moderate

*Currently used version in this PR*: 6.6.5

vite  4.0.0 - 4.5.2
Severity: high

*Currently used version in this PR*: 4.4.12

Copy link
Collaborator

@CommanderStorm CommanderStorm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let me reiterate my point from #4590 (comment):
Have you read through the changelogs of each update you are proposing carefully?
If not, this is basically just as careless as #4590

Just executing some command is not really a PR, that is just dumping work which needs fixing.
If you have a look at axios-ntlm, they ship their breaking changes in patch releases.

Note

This took me 3.5 hours to review.
Please submit smaller PRs in smaller, thematically linked PRs in the future.
Like this, it is really not managable

@@ -82,127 +82,127 @@
"@louislam/ping": "~0.4.4-mod.1",
"@louislam/sqlite3": "15.1.6",
"args-parser": "~1.3.0",
"axios": "~0.27.0",
"axios-ntlm": "1.3.0",
"axios": "~0.28.1",
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Regarding 0.28.0
Have you looked at if
axios/axios#4624 + axios/axios#4718 make the output different and if this is better/worse

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not looked, but better stack trace is always good

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It might not look good or require additional work to look decent.
Please have a look if they are displayed properly

"axios": "~0.27.0",
"axios-ntlm": "1.3.0",
"axios": "~0.28.1",
"axios-ntlm": "1.3.1",
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Includes Catbuttes/axios-ntlm#15 which bumps axios to 1.X.

This likely breaks something
=> change needs to be done in step with bumping axios once migration is possible.

Suggested change
"axios-ntlm": "1.3.1",
"axios-ntlm": "1.3.0",

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

axios-ntlm will use its own axios, and we will still use axios 0.X

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This would be still to risky given what this libary does. There might be breaking changes which happened and might make this incompatible:

This is a helper library for NTLM Authentication using the Axios HTTP library on Node. It attaches interceptors to an axios instance to authenticate using NTLM for any resources that offer it.

package.json Show resolved Hide resolved
package.json Show resolved Hide resolved
"mqtt": "~4.3.7",
"liquidjs": "^10.10.2",
"mongodb": "~4.17.2",
"mqtt": "~4.3.8",
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

4.3.8 is neither documented in the changelog nor has an associated commit tag.
=> what are we migrating to here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

4.3.8 was already installed in package-lock before my PR:
image

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That was not the point. I was asking what 4.3.8 is.

package.json Outdated Show resolved Hide resolved
Comment on lines +151 to +152
"@babel/eslint-parser": "^7.24.1",
"@babel/preset-env": "^7.24.4",
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For these dependencies is somewhat hard to audit what has changed in this bump.
How did you audit this?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These dependencies had MINOR update ranges, so it is automatically downloaded. See: https://docs.npmjs.com/about-semantic-versioning#using-semantic-versioning-to-specify-update-types-your-package-can-accept

And we already had installed 7.23.7 in package-lock.json 4 months ago by @louislam in 8d847ab:
image

Copy link
Collaborator

@CommanderStorm CommanderStorm Apr 4, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So you are suggesting to just not search for breaking changes here?
Have you audited the changes?

package.json Show resolved Hide resolved
package.json Outdated Show resolved Hide resolved
"qrcode": "~1.5.0",
"rollup-plugin-visualizer": "^5.6.0",
"qrcode": "~1.5.3",
"rollup-plugin-visualizer": "^5.12.0",
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

5.7 adds the emitFile (default: false) option.

We use this plugin to generate a file.
Have you checked that the file is still being generated?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We already have rollup-plugin-visualizer installed with version 5.12.0 - no changes for this package in package-lock:
image

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have you checked that the file is still being generated?
Automatically bumping this in the package-lock might have been a mistake.

@CommanderStorm CommanderStorm changed the title Fix: Axios update - fix vulnerabilities [1.23.X] Dependency update Apr 4, 2024
@Saibamen
Copy link
Contributor Author

Saibamen commented Apr 4, 2024

Have you read through the changelogs of each update you are proposing carefully?

Yes. Only 2 packages were updated in my PR: axios and axios-ntlm. See commits: https://github.com/louislam/uptime-kuma/pull/4647/commits

@CommanderStorm
Copy link
Collaborator

CommanderStorm commented Apr 4, 2024

Only 2 packages were updated in my PR

Why is this PR then
image

Looking through the changelog is still an important part of updating.
There might have been breaking changes that have been missed, despite this package being in the package-lock.
I really don't like these responses ("I don't need to look into this, because package-lock") to potentially breaking changes that you are giving.
=> Please actually check the cases I raised instead of handwaving them away.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants