Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix Security Vulnerabilities #113

Merged
merged 14 commits into from
Oct 10, 2024
Merged

Fix Security Vulnerabilities #113

Show file tree
Hide file tree
Changes from 12 commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
8c180dd
updated body-parser version to 1.20.3
gurukishorebolisetty Sep 30, 2024
e20f144
updated mocha version to 10.7.0
gurukishorebolisetty Sep 30, 2024
4c52b12
updated sinon version to 16.1.2
gurukishorebolisetty Sep 30, 2024
2c4cc91
updated eslint-plugin-import version to 2.30.0
gurukishorebolisetty Sep 30, 2024
1911ab8
updated node-gyp version to 10.0.0
gurukishorebolisetty Sep 30, 2024
54b9430
updated docker file to include bracs to upgrade
gurukishorebolisetty Sep 30, 2024
532ec93
updated docker file to include bracs to upgrade
gurukishorebolisetty Sep 30, 2024
fba8eec
updated node-sass-middleware version
gurukishorebolisetty Sep 30, 2024
b5ef367
updated packages version
gurukishorebolisetty Oct 1, 2024
a42c49a
removed braces
gurukishorebolisetty Oct 1, 2024
c605f7c
removed repeated command
gurukishorebolisetty Oct 1, 2024
94c402e
added packages to package.json
gurukishorebolisetty Oct 1, 2024
818e6c4
removed braces package from package.json
gurukishorebolisetty Oct 3, 2024
48ec9d9
removed semver package from package.json
gurukishorebolisetty Oct 3, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,10 @@ ENV DOCKER_HOME /usr/src/app

RUN apk update && apk upgrade

# Update the package list and upgrade libpq and postgresql15-client
RUN apk update && apk upgrade && \
apk add --no-cache libpq postgresql15-client

# Temporary solution to dump and restore database
hemantgoswami marked this conversation as resolved.
Show resolved Hide resolved
RUN apk add --no-cache --update postgresql-client

Expand Down
16 changes: 10 additions & 6 deletions package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,12 +31,13 @@
},
"homepage": "https://github.com/ukhomeoffice/business-data-manager#readme",
"dependencies": {
"body-parser": "^1.19.0",
"body-parser": "^1.20.3",
"braces": "^3.0.3",
"compression": "^1.7.4",
"connect-pg-simple": "^7.0.0-0",
"crc-32": "^1.2.2",
"errorhandler": "^1.5.1",
"express": "^4.19.2",
"express": "^4.21.0",
"express-flash": "0.0.2",
"express-session": "^1.17.2",
"express-validator": "^6.14.0",
Expand All @@ -53,29 +54,32 @@
"passport": "0.6.0",
"pg": "^8.6.0",
"role-acl": "^4.5.4",
"semver": "^7.5.2",
"setup": "^0.0.3",
"start": "^5.1.0",
"uglify-js": "^3.15.4",
"winston": "^3.3.3",
"yarn": "^1.22.18"
},
"devDependencies": {
"braces": "^3.0.3",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is only needed in dependencies, as devdependencies are the additional packages for development environment and this will try to install it twice, not that it is a big deal but tidy code by removing it from here will look good.

On the other hand, did you tried updating the parent package that has the dependency on this package to a more recent that should be the ideal solution. The reason for that is, now the package.json suggests that this package is required and used directly by the application and in couple of years time if the parent package is removed and not used, this will still be lying around and no one would know what to do with it.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@hemantgoswami , removed these packages from package.json file now. please resolve and approve PR.

"chai": "^4.5.0",
"chai-as-promised": "^7.1.1",
"eslint": "^7.27.0",
"eslint-config-standard": "^16.0.2",
"eslint-plugin-import": "^2.29.1",
"eslint-plugin-import": "^2.30.0",
"eslint-plugin-node": "^11.1.0",
"eslint-plugin-promise": "^5.1.0",
"eslint-plugin-standard": "^5.0.0",
"fstream": "^1.0.12",
"js-yaml": "^4.1.0",
"jsdoc": "^3.6.7",
"marked": "^4.0.15",
"mocha": "^10.0.0",
"node-gyp": "^9.0.0",
"mocha": "^10.7.0",
"node-gyp": "^9.4.1",
"node-pre-gyp": "^0.17.0",
"proxyquire": "^2.1.3",
"sinon": "^10.0.0"
"semver": "^7.5.2",
"sinon": "^16.1.2"
}
}
Loading