Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): automatically audit fix UI deps #12036

Merged
merged 1 commit into from
Oct 20, 2023

Conversation

agilgur5
Copy link

@agilgur5 agilgur5 commented Oct 18, 2023

Partial fix for #12031, Vulnerabilities

Motivation

Modifications

Verification

  • ran yarn after, no additional changes
    • audit fix will only bump versions in a SemVer compatible way, so no major bumps here; mostly patches

- ran `npx [yarn-audit-fix](https://github.com/antongolub/yarn-audit-fix) && yarn deduplicate`
  - 77 vulns -> 1 vuln

Signed-off-by: Anton Gilgur <agilgur5@gmail.com>
@agilgur5 agilgur5 added type/dependencies PRs and issues specific to updating dependencies javascript Pull requests that update Javascript dependencies labels Oct 18, 2023
Copy link
Member

@terrytangyuan terrytangyuan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be part of ui lint? npx yarn-audit-fix && yarn deduplicate

@agilgur5
Copy link
Author

agilgur5 commented Oct 19, 2023

This should be part of ui lint? npx yarn-audit-fix && yarn deduplicate

No I don't think so, that's why I didn't add it.

Here's a pointed counter-example to demonstrate why: if you change no dependencies yourself in a PR, audit fix may still have changes.
After all, it depends on if there are vulns in your dependencies and a SemVer compatible fix available. Since vulns are discovered in real-time, that is a moving target.

yarn deduplicate on the other hand will only make changes if you made changes to the deps. It will effectively no-op when there are no changes to deps (and if the list has been kept deduped as it is within the UI lint check).

@terrytangyuan terrytangyuan merged commit 35f7208 into argoproj:master Oct 20, 2023
21 checks passed
@agilgur5 agilgur5 deleted the deps-ui-audit-fix branch October 20, 2023 02:15
@agilgur5 agilgur5 added the type/security Security related label Oct 20, 2023
sarabala1979 pushed a commit that referenced this pull request Jan 10, 2024
Signed-off-by: Anton Gilgur <agilgur5@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
javascript Pull requests that update Javascript dependencies type/dependencies PRs and issues specific to updating dependencies type/security Security related
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants