-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(all): LW-8019 fix critical/high yarn audit vulnerabilities #408
chore(all): LW-8019 fix critical/high yarn audit vulnerabilities #408
Conversation
8b310b2
to
d0a4095
Compare
This will have to be rebased and updated for yarn3 |
@tgunnoe thanks for the heads up will do 👍 btw, I noticed that the For the time being I'd fix at least the vulnerabilities respective to the v3 report |
d0a4095
to
200c3a1
Compare
@przemyslaw-wlodek I force-pushed the fixes to yarn.lock because I basically did the update from scratch so the code requires re-reviewing anyway as it doesn't share anything in common apart from the general steps (autofix issues with I also bumped webpack which although wasn't reported by the v3 Currently, the only one critical dependency should be reported by |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great job @refi93
Checklist
Motivation
yarn audit
is currently reporting 324 vulnerabilities:Proposed solution
Run yarn-audit-fix which is an automated tool looking for non-vulnerable versions of packages that comply with the dependency constraints. Fix the rest of reported (high/critical) vulnerabilities ad-hoc.
The commits are split in the following way:
yarn-audit-fix
yarn audit
into CI, basically reverting https://github.com/input-output-hk/lace/pull/241/files (except sonarqube)Testing
yarn audit
and there should be no high/critical vulnerabilities reportedAllure report
allure-report-publisher
generated test report!smokeTests: ✅ test report for c651987f