Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update JS dependencies #1190

Merged
merged 2 commits into from
May 5, 2022
Merged

Update JS dependencies #1190

merged 2 commits into from
May 5, 2022

Conversation

MKodde
Copy link
Member

@MKodde MKodde commented Apr 28, 2022
edited
Loading

Security warnings where raised for two main reasons:

  1. We use a very outdated Cypress version (updates held back by a plugin, see point below). Upgrading that got rid of most sec-warinings
  2. Using the snapshot cypress plugin caused two difficult to resolve security warnings. Socket IO and Engine IO where held back from update and hence we were using vulnerable versions of those packages. Adding resolutions to force a safe version caused incompatible behavior in the plugin. So that is not an option either. This very problem was raised on the Github page. Untill that problem is resolved we will have these problems.

As a (temporal) solution. I chose to disable the conflicting snapshot plugin, and disable the visual regression tests that use them for now.

Read the commit messages for a bit more detail.

@MKodde MKodde force-pushed the maintenance/upgrade-javascript-dependencies branch from e449399 to 9250630 Compare May 3, 2022 06:33
@MKodde MKodde requested a review from VadimSchmitz May 3, 2022 06:33
@MKodde MKodde force-pushed the maintenance/upgrade-javascript-dependencies branch from 9250630 to 5918919 Compare May 4, 2022 12:46
@MKodde
Update JS dependencies
4811801 
Quite some JS dependencies had not been updated for some time. Leaving
them vulnerable to security issues. Some of the packages have been
upgraded to a couple of major releases higher than currently installed.
This did not seem to have negative effect on the processes using the
packages. But please be aware of this.

For now only the socket.io and engine.io resolutions have been resolved.
@MKodde MKodde force-pushed the maintenance/upgrade-javascript-dependencies branch from 5918919 to 4811801 Compare May 4, 2022 12:52
@MKodde MKodde mentioned this pull request May 4, 2022
Merged
@MKodde MKodde force-pushed the maintenance/upgrade-javascript-dependencies branch 3 times, most recently from cefdc77 to 2e030a2 Compare May 5, 2022 06:22
@MKodde
Disable Cypress visual regression tests
becabc2 
After updating socket.io and engine.io, the snapshot plugin used by the
cypress snapshot plugin no longer works. In order to run the tests we
need the older (vulnerable) versions. And for passing security tests, we
need the new version.

(┛ಠ_ಠ)┛彡┻━┻

The current version of the snapshot project is not actively maintained,
but the community is trying to take it over from the original
maintainer. My suggestion is to keep it in the project for now, and hope
for a speedy upgrade. If this is not the case we could look to use
another plugin or disable the visual regression tests altogether?

In my endeavours of jugling cypress plugins, I also took the liberty to
update cypress to the latest version bumping it a whopping 4 major
releases. Another sign of caution is raised here.. Tests seemed to run
as before but we might experience BC breaking changes from the four
version upgrades.
@MKodde MKodde force-pushed the maintenance/upgrade-javascript-dependencies branch from 2e030a2 to becabc2 Compare May 5, 2022 06:26
@MKodde MKodde requested review from thijskh and Badlapje May 5, 2022 06:35
@MKodde MKodde merged commit 8bd2770 into master May 5, 2022
@MKodde MKodde deleted the maintenance/upgrade-javascript-dependencies branch May 5, 2022 09:47
Badlapje
Badlapje reviewed May 5, 2022
View reviewed changes
Copy link

@Badlapje Badlapje left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Badlapje Badlapje Badlapje left review comments

@thijskh thijskh thijskh approved these changes

@VadimSchmitz VadimSchmitz VadimSchmitz approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@MKodde @thijskh @Badlapje @VadimSchmitz