-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix security vulnerabilities #1017
Conversation
Bumps [vue](https://github.com/vuejs/core) and [vue-template-compiler](https://github.com/vuejs/vue). These dependencies needed to be updated together. Updates `vue` from 2.6.11 to 2.7.0 - [Release notes](https://github.com/vuejs/core/releases) - [Changelog](https://github.com/vuejs/core/blob/main/CHANGELOG.md) - [Commits](https://github.com/vuejs/core/commits) Updates `vue-template-compiler` from 2.6.11 to 2.7.0 - [Release notes](https://github.com/vuejs/vue/releases) - [Changelog](https://github.com/vuejs/vue/blob/main/CHANGELOG.md) - [Commits](vuejs/vue@v2.6.11...v2.7.0) --- updated-dependencies: - dependency-name: vue dependency-type: direct:production update-type: version-update:semver-minor - dependency-name: vue-template-compiler dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [decode-uri-component](https://github.com/SamVerschueren/decode-uri-component) from 0.2.0 to 0.2.2. - [Release notes](https://github.com/SamVerschueren/decode-uri-component/releases) - [Commits](SamVerschueren/decode-uri-component@v0.2.0...v0.2.2) --- updated-dependencies: - dependency-name: decode-uri-component dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [qs](https://github.com/ljharb/qs) from 6.10.1 to 6.11.0. - [Release notes](https://github.com/ljharb/qs/releases) - [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md) - [Commits](ljharb/qs@v6.10.1...v6.11.0) --- updated-dependencies: - dependency-name: qs dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [jsonwebtoken](https://github.com/auth0/node-jsonwebtoken) from 8.5.1 to 9.0.0. - [Release notes](https://github.com/auth0/node-jsonwebtoken/releases) - [Changelog](https://github.com/auth0/node-jsonwebtoken/blob/master/CHANGELOG.md) - [Commits](auth0/node-jsonwebtoken@v8.5.1...v9.0.0) --- updated-dependencies: - dependency-name: jsonwebtoken dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [@babel/core](https://github.com/babel/babel/tree/HEAD/packages/babel-core) from 7.15.8 to 7.20.12. - [Release notes](https://github.com/babel/babel/releases) - [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md) - [Commits](https://github.com/babel/babel/commits/v7.20.12/packages/babel-core) --- updated-dependencies: - dependency-name: "@babel/core" dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [json5](https://github.com/json5/json5) from 1.0.1 to 1.0.2. - [Release notes](https://github.com/json5/json5/releases) - [Changelog](https://github.com/json5/json5/blob/main/CHANGELOG.md) - [Commits](json5/json5@v1.0.1...v1.0.2) --- updated-dependencies: - dependency-name: json5 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [redis](https://github.com/redis/redis-py) from 3.5.3 to 4.4.2. - [Release notes](https://github.com/redis/redis-py/releases) - [Changelog](https://github.com/redis/redis-py/blob/master/CHANGES) - [Commits](redis/redis-py@3.5.3...v4.4.2) --- updated-dependencies: - dependency-name: redis dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [flask-wtf](https://github.com/wtforms/flask-wtf) from 0.15.1 to 1.1.1. - [Release notes](https://github.com/wtforms/flask-wtf/releases) - [Changelog](https://github.com/wtforms/flask-wtf/blob/main/docs/changes.rst) - [Commits](pallets-eco/flask-wtf@v0.15.1...v1.1.1) --- updated-dependencies: - dependency-name: flask-wtf dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [cookiejar](https://github.com/bmeck/node-cookiejar) from 2.1.3 to 2.1.4. - [Release notes](https://github.com/bmeck/node-cookiejar/releases) - [Commits](https://github.com/bmeck/node-cookiejar/commits) --- updated-dependencies: - dependency-name: cookiejar dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
…oken-9.0.0' into security-vulns
…ri-component-0.2.2' into security-vulns
…r-2.1.4' into security-vulns
…into security-vulns
…0.2' into security-vulns
…re-7.20.12' into security-vulns
…0' into security-vulns
…vue-template-compiler-2.7.0' into security-vulns
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All the functionality worked for me. I'm nervous that this includes some major version bumps. Not to say we shouldn't do them, but just curious if you were able to look into any of the implications there?
I remember @erxclau had a good process for this where he'd check in on what each dependency did for us and cross referenced that with the release notes. It's fortunate that the upgrades in this PR don't require any code changes, but it'd still be nice to know a little background on some of the bigger changes so we know we're looking in the right place for bugs.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just did a quick check by pushing to staging and all seems to WFM!
What's this PR do?
Fixes an array of vulnerabilities recommended by Dependabot, including:
Why are we doing this? How does it help us?
Good to stay on top of dependency upgrades for security!
Here are some major upgrades of note:
redis 4.4.2
The breaking changes in Redis 4 don't seem to affect this app:
Impact: JSON commands available since 4.0.0beta3 now better match RedisJSON
urllib.parse.unquote. Prior versions of redis-py supported this by
specifying the decode_components flag to the from_url functions.
This is now done by default and cannot be disabled. Allow URL encoded parameters in Redis URLs by Default redis/redis-py#589
(see commands.py). Anyone importing redis.client to access commands
directly should import redis.commands. Migrating commands to a mixin redis/redis-py#1534, Merged new sentinel commands from #834 redis/redis-py#1550
flask-wtf 1.1.1
Flask-wtf v1 doesn't appear to have any breaking changes when migrating from 0.15.1. Support for python 3.6 was dropped in v1.1, but we're using python 3.9 in this repo so it doesn't affect us.
jsonwebtoken 9.0.0
None of the breaking changes appear to affect us:
How should this be manually tested?
Spin up the donations app and:
How should this change be communicated to end users?
Are there any smells or added technical debt to note?
At time of writing, this PR does not address all Dependabot recommended fixes but we have quite a few. I thought it might be best to handle them in batches.
What are the relevant tickets?
Have you done the following, if applicable:
(optional: add explanation between parentheses)
TODOs / next steps: