Dependabot updates

[pdpinch]

Dependabot is recommending a number of updates, but it can't open PRs right now.

Acceptance Criteria:

• ejs 3.17
• terser 5.14.2
• moment 2.29.4
• merge 2.1.1
• node-fetch
• shelljs 0.8.5
• nth-check 2.0.1

related issues

• Should we use renovate instead? See Configure Renovate #536

[asadali145]

Hey @pdpinch @rhysyngsun,

• I was having a look into this ticket and it seems like dependabot is disabled for version updates. Should I enable it and add a config for it? Please have a look at the feature in settings available at https://github.com/mitodl/mitxonline/settings/security_analysis.
• Also, I remember we were about to use renovate. Is there any update on that or should I enable dependabot.

[rhysyngsun]

If we're going to enable something like dependabot I'd rather go with renovate, although it requires some more configuration tweaks.

In the meantime, can you manually open some PRs to bump the versions for what dependabot is alerting on?

[asadali145]

Putting it here for reference:

ejs cannot be upgraded as it is a dependency of https://github.com/surma/rollup-plugin-off-main-thread and ejs version is not updated in it. There is an Open PR for ejs version bump but it seems like there is no activity on it from the maintainers surma/rollup-plugin-off-main-thread#53.

[asadali145]

Terser is a dependency of the following Packages:

• https://github.com/terser/html-minifier-terser
• https://github.com/TrySound/rollup-plugin-terser
• https://github.com/webpack-contrib/terser-webpack-plugin

https://github.com/TrySound/rollup-plugin-terser has not yet bumped the version specified by the dependabot is the reason we cannot update terser. We can pin the version as we do in MITxPro https://github.com/mitodl/mitxpro/blob/5a4bde552c2bdc89702740eef78146c4012a6012/package.json#L136

[asadali145]

Merge is the dependency of https://github.com/sasstools/sass-lint. A PR for Version bump is created but there is no response on that sasstools/sass-lint#1321.

[asadali145]

node-fetch also has a few dependencies that have open PRs for version bumps.

• Teeny-fetch https://github.com/googleapis/teeny-request is using an older version of node-fetch
• fetch-mock https://github.com/wheresrhys/fetch-mock has an open PR for version bump https://github.com/wheresrhys/fetch-mock/pulls
• isomorphic-fetch https://github.com/matthew-andrews/isomorphic-fetch also has an open PR for version bump Bump node-fetch to 2.6.7 to resolve security issue matthew-andrews/isomorphic-fetch#204.

[asadali145]

shelljs is a dependency of eslint and flowgen. Flowgen has a open PR joarwilk/flowgen#169 for version bump but eslint is still using 0.8.2 and no issue or PR if open for version bump.

[asadali145]

nth-select is a dependency of react-scripts and we are using the latest version of react-scripts. Maybe we can pin the version specified by dependabot if required.

[asadali145]

Hey, @rhysyngsun @pdpinch just FYI;
Almost all the packages are required by either react-scripts or a dependency of react-scripts. Some packages have had no activity for the last year or two. I have had a few discussions with @arslanashraf7 as well. We have 2 options:

• Ignore the dependabot alerts and wait for a new release of react-scripts. Some of the packages are inactive for years.
• Pin the versions using resolutions as we do in xpro https://github.com/mitodl/mitxpro/blob/5a4bde552c2bdc89702740eef78146c4012a6012/package.json#L136.

Please let me know your opinion. Thanks

[rhysyngsun]

@asadali145 I think we should try the resolutions pinning, since react-scripts is used at build time as long as we get a valid and functional build out of it we should be good. Although that said I think that library is only really required by create-react-app which I don't think we're using so this really shouldn't do anything.

[pdpinch]

I'd like to close this generic issue. Can someone open a specific issue about pinning the version of resolutions -- and/or removing create-react-app?

[asadali145]

Recently, Depeandabot opened a couple of PRs for the related dependencies. I will be having a look into those when I get some time. Hopefully, We won't need the resolutions.

[asadali145]

Closing this one. Dependabot opened PRs that we need to review now. This one is invalid.