Conversation
ahangarha
force-pushed
the
fix-js-vulnerabilities
branch
4 times, most recently
from
381acaa to
a019f7e
Compare
| *Please add entries here for your pull requests that are not yet released.* | ||
|
|
||
| ### Fixed | ||
| - Upgrade several JS dependencies to knows security issues. [PR 1514](https://github.com/shakacode/react_on_rails/pull/1514) by [ahangarha](https://github.com/ahangarha) |
There was a problem hiding this comment.
Upgrade several JS dependencies to fix security issues.
There was a problem hiding this comment.
My bad! Editing several times and finally pushing a wrong sentence! 😞
Fixed ✅
| "react-dom": ">= 16" | ||
| }, | ||
| "resolutions": { | ||
| "ansi-regex": "^3.0.1" |
There was a problem hiding this comment.
why is this needed?
should be documented in the PR
There was a problem hiding this comment.
I explained in its own commit:
This is a temporary fix due to complexities of upgrading eslint and
other relevant dependencies (namely prettier-eslint-cli) to newer
versions.
Maybe I had to bring it to the PR body as well.
Since we had a kind of urgency in resolving high/critical vulnerabilities, I did a tradeoff and chose to use this approach for this particular package rather than spending hours or days to fix issues with upgrading prettier-eslint-cli, which required upgrading eslint and make modifications in our source code to address the breaking changes.
| "react": "^16.5.2", | ||
| "react-dom": "^16.5.2", | ||
| "prop-types": "^15.8.1", | ||
| "react": "^16.14.0", |
There was a problem hiding this comment.
Why is react not upgraded to 17 at least?
There was a problem hiding this comment.
There was no security issue with React. For such dependencies, I only pushed all minor versions. I thought it might be a development decision to use which version of React.
ahangarha
force-pushed
the
fix-js-vulnerabilities
branch
from
106c21f to
4b0dfdf
Compare
This is a temporary fix due to complexities of upgrading eslint and other relevant dependencies (namely prettier-eslint-cli) to newer versions.
ahangarha
force-pushed
the
fix-js-vulnerabilities
branch
from
4b0dfdf to
18b93e2
Compare
2 participants
In this PR, I have updated our JS dependencies to address several known security vulnerabilities. Amoung them and due to our urgency I resolved the issues with
ansi-regexusingresolutionsentry inyarn.lock. This is a temporary fix due to complexities of upgrading eslint and other relevant dependencies (namely prettier-eslint-cli) to newer versions.This change is