Skip to content

Upgrade dependencies#2360

Merged
zimeg merged 2 commits intomainfrom
ah-update-deps
Dec 16, 2024
Merged

Upgrade dependencies#2360
zimeg merged 2 commits intomainfrom
ah-update-deps

Conversation

@hello-ashleyintech
Copy link
Contributor

Summary

This PR updates the following dep minimums to most recent version to avoid security vulns:

  • @slack/oauth to 3.0.2
  • @slack/socket-mode to 2.0.3
  • @slack/web-api to 7.8.0
  • axios to 1.7.8

Requirements (place an x in each [ ])

@hello-ashleyintech hello-ashleyintech added the dependencies Pull requests that update a dependency file label Dec 10, 2024
@hello-ashleyintech hello-ashleyintech added this to the 4.1.2 milestone Dec 10, 2024
@hello-ashleyintech hello-ashleyintech requested review from a team and zimeg December 10, 2024 14:34
@hello-ashleyintech
Copy link
Contributor Author

tests pass locally with new deps installed

@codecov
Copy link

codecov bot commented Dec 10, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 92.59%. Comparing base (e002c13) to head (65ada31).
Report is 1 commits behind head on main.

Additional details and impacted files
@@           Coverage Diff           @@
##             main    #2360   +/-   ##
=======================================
  Coverage   92.59%   92.59%           
=======================================
  Files          36       36           
  Lines        7472     7472           
  Branches      653      653           
=======================================
  Hits         6919     6919           
  Misses        545      545           
  Partials        8        8           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

Copy link
Contributor

@WilliamBergamin WilliamBergamin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good to me 💯 but may I suggest waiting until the number of downloads for @slack/socket-mode v2.0.3 rises slightly before merging/releasing these changes

socket-mode is a critical part of this project, if there is an issue with it it would be nice to catch it before releasing it here 🤔

@hello-ashleyintech
Copy link
Contributor Author

holding off on merging for now based on the above ^

Copy link
Member

@zimeg zimeg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bumping the @slack dependencies of bolt always brings a question or two...

Otherwise, feel free to merge when the time is right! 🙏

And I tested these changes with a few typescript and javascript projects and found the builds are alright as well, though I'm always hoping to find more ways to test future changes 👀

"@slack/types": "^2.13.0",
"@slack/web-api": "^7",
"axios": "^1.7.4",
"@slack/web-api": "^7.8.0",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would this bump make this change a semver:minor because new features are introduced? 🤔

I'm thinking we should've had this set to the latest semver:minor anyways since features of @slack/web-api are exposed from @slack/bolt - such as the assistant APIs released in @slack/[email protected] being required since @slack/[email protected] - but let me know what you think! 🔍

@WilliamBergamin
Copy link
Contributor

@hello-ashleyintech got a few thousand download of socket mode 2.0.3 with no reported issues, I think we can safely merge this

@zimeg zimeg modified the milestones: 4.1.2, 4.2.0 Dec 16, 2024
@zimeg
Copy link
Member

zimeg commented Dec 16, 2024

@hello-ashleyintech @WilliamBergamin Jumping in on this winterish week to merge this and will tag it as semver:minor out of caution for the included dependencies 🙏

@hello-ashleyintech Thanks a ton for making these changes upstream and here! Huge lifts! 💪 ✨

@zimeg zimeg merged commit 9846ce8 into main Dec 16, 2024
@zimeg zimeg deleted the ah-update-deps branch December 16, 2024 20:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file semver:minor

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants