Update npm packages to mitigate vulnerabilities #51
Conversation
|
The following 3 vulnerabilities were addressed in |
|
The following 7 vulnerabilities require manual review |
|
I'm still getting my footing with the world of npm, I'm not sure what's the usual handling of audit warnings like this? I'm going to dig in and read the advisories to try to form some opinions of my own, but I'd also love to hear opinions on what does/ doesn't really matter to us in this regard. eg: Can can this whole PR if it doesn't seem necessary. |
|
Notes: The 7 vulnerabilities listed above boil down to only 4 packages needing updates (one of them appears 4 times as a dependency of other packages).
Questions:
|
|
After replacing the standard We're currently using the most current version of |
|
NOTE this is marked WIP because I have outstanding questions (see above comments), would love 👀 on it. |
|
This is super-useful and necessary, really appreciate your picking it up. Most of these probably don't hit us too hard as we're running this on the server, but the axios one might, and we're definitely in better safe than sorry land. I would say, go ahead and bump axios in the lock file and let's keep an eye out for a newer version of github-api at https://github.com/github-tools/github/releases . Though it's also been a while since the last release there, so we'll see if that happens. |
...interesting. Looking at the releases page you linked, it looks like it has indeed been a while. but on its npm package page it was updated 2 months ago. I guess they missed updating a tag or something (I haven't used the releases feature in GH, not sure how that would fall out of sync) The good news is that there is a PR open that fixes the axios issue -- once it passes tests. I'll open an issue to track that. |
|
If you run |
All of the remaining vulnerabilities from last audit stemmed from request
Updating request package still left a lot of vulnerabilities, and since ultimately request is a dependency of hubot-flowdock it seemed wise to go one more level up The last update to hubot-flowdock was a year ago, reload has fixed some dependencies since then
no, I get the same result (sorry I commented on that - but in flowdock instead of here):
although... now that I have links to the updated axios tar and sha (I wasn't sure how to get those) - maybe I can paste them into the requirements section of the github dependencies? |
|
It may be better to just wait on this a couple days and see if the github api gets bumped up: looks like they are actively dealing with it (comment 3 hours ago, closing out one PR in favor of another. The open PR isn't passing tests yet but I'm guessing if they've selected which PR to go with, they are working on it) |
|
Yeah, after reading the For now let's hold off. I'm not convinced we'll see quick movement, looks like the person who closed the PR you linked was the author of that PR and doesn't work at GitHub; however, maybe we get lucky ;) You may also want to try prodding GitHub on Twitter if this is still sitting around in a few days. |
oo wait -- now that I'm looking more closely, it looks like that user has been given write access to the repo (!!!) so we may see some progress after all 🤞 |
|
adding an issue to look into replacing this with Octokit |
|
Goodness. And also Moving to octokit is definitely the thing to do, nice find! |
kb0rg
force-pushed
the
update-npm-packages
branch
from
36711de to
6071efe
Compare
|
I dropped the last commit (the one with failed the attempt to manually update axios) |
|
Cool. How we feeling about dropping the WIP? |
you know... I was thinking about it yesterday, then hesitated -- but should have commented here about why:
any thoughts on that? or do we just, um, QA-via-deploy 😬 😁 ? (I don't exactly think "add test suite" is within scope here, but wondering if there are other ways to smoke-test while running locally?) |
kb0rg
changed the title
|
Following up on offline chat about these questions: |
This PR updates most of the packages recommended by npm
The 1 remaining vulnerability is dependent on an update to the github-tools github-api package, which should be landing in the near future -- but which should not block this PR.
TODO:
possibly wait until github updates their package and get it all dealt with at once?test that nothing breaks (? how ?)