Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dev: Update react-scripts dependency to remove high severity vulnerabilities #194

Open
mtreacy002 opened this issue Mar 9, 2021 · 14 comments · May be fixed by #270
Open

Dev: Update react-scripts dependency to remove high severity vulnerabilities #194

mtreacy002 opened this issue Mar 9, 2021 · 14 comments · May be fixed by #270
Assignees
@Anmollenka
Labels
Category: Coding Changes to code base or refactored code that doesn't fix a bug. dependencies Pull requests that update a dependency file Type: Maintenance Repository maintenance.

Comments

@mtreacy002
Copy link
Member

mtreacy002 commented Mar 9, 2021
edited
Loading

Is your feature request related to a problem? Please describe.

The current react-scripts dependency (v3.4.3) is causing 2 high severity warnings

Describe the solution you'd like

Update react-scripts dependency from 3.4.3 to 4.0.3. Note: this install involves potential breaking changes.
While on it, fix other vulnerability warnings as well.

Describe alternatives you've considered

Ignore warnings if they don't causing major issue

Additional context

These warnings were caught on the initial dependencies installation of a newly cloned project.
Here's the gist of npm audit reports.
@mtreacy002 mtreacy002 added Category: Coding Changes to code base or refactored code that doesn't fix a bug. Status: Available Issue was approved and available to claim or abandoned for over 3 days. Type: Maintenance Repository maintenance. labels Mar 9, 2021
@mtreacy002 mtreacy002 changed the title Dev: Update react-scripts dependency to remove vulnerabilities warning Dev: Update react-scripts dependency to remove vulnerabilities Mar 9, 2021
@mtreacy002 mtreacy002 added the dependencies Pull requests that update a dependency file label Mar 9, 2021
@mtreacy002 mtreacy002 changed the title Dev: Update react-scripts dependency to remove vulnerabilities Dev: Update react-scripts dependency to remove high severity vulnerabilities Mar 9, 2021
@Amulya-coder
Copy link
Member

@mtreacy002 I have added the Open source hack label for the OSH aspirants

@Rahulm2310 Rahulm2310 mentioned this issue Mar 20, 2021
Closed
3 tasks
@Anmollenka
Copy link

I would like to work on this issue.

@Amulya-coder
Copy link
Member

Assigning @Anmollenka.

@Amulya-coder Amulya-coder removed the Status: Available Issue was approved and available to claim or abandoned for over 3 days. label May 22, 2021
@Anmollenka
Copy link

@mtreacy002 just wanted to confirm if medium severity vulnerabilities should be removed too?

@Anmollenka
Copy link

@mtreacy002 just wanted to confirm if medium severity vulnerabilities should be removed too?

@Amulya-coder Can you just confirm so that I can create a pull request.

@Amulya-coder
Copy link
Member

@Anmollenka, Yes you can go ahead and create a pull request no need to worry about medium severity vulnerabilities.

@vj-codes
Copy link
Member

@Anmollenka any updates here?

@Anmollenka
Copy link

Will create a pr within an hour

@Anmollenka
Copy link

@vj-codes After manually changing the versions 2 high vulnerabilities are still there.

@mtreacy002
Copy link
Member Author

@Anmollenka , can you please show us steps you've done along with the log on a gist of npm audit report? This will help us better understand the issue you are facing. Thanks 😉

@mtreacy002 mtreacy002 mentioned this issue Jun 25, 2021
Open
@Anmollenka
Copy link

sure @mtreacy002

@Anmollenka
Copy link

Anmollenka commented Jul 1, 2021
edited
Loading

@mtreacy002 I updated the react version to 4.0.3 and ran npm audit.Here is the gist of the npm audit report.

@mtreacy002
Copy link
Member Author

mtreacy002 commented Jul 7, 2021
edited
Loading

@Anmollenka , when you said you've manually changed the versions, which versions you're talking about? for example, I can't see how you've updated react version to 4.0.3 while the version stated inside package.json is 16.3.1.
Screen Shot 2021-07-07 at 8 23 00 pm

can you please submit the PR with whatever you currently have so that we could see what you have done and how we can improve this? thanks

@Anmollenka
Copy link

@Anmollenka , when you said you've manually changed the versions, which versions you're talking about? for example, I can't see how you've updated react version to 4.0.3 while the version stated inside package.json is 16.3.1.
Screen Shot 2021-07-07 at 8 23 00 pm

can you please submit the PR with whatever you currently have so that we could see what you have done and how we can improve this? thanks

Yes @mtreacy002 as I have not submitted my pull request you will not be able to see my changes.Sorry for the inconvenience caused by not explaining my approach properly.

@Anmollenka Anmollenka linked a pull request Jul 10, 2021 that will close this issue
Open
11 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Anmollenka Anmollenka

Labels
Category: Coding Changes to code base or refactored code that doesn't fix a bug. dependencies Pull requests that update a dependency file Type: Maintenance Repository maintenance.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore:updating package version Anmollenka/bridge-in-tech-web
4 participants
@mtreacy002 @Anmollenka @vj-codes @Amulya-coder