DemocracyDevelopers / colorado-rla

Colorado Risk-Limiting Audit (RLA) software – developed to support risk-limiting post-election audits of election outcomes.
Other
0 stars 0 forks source link

NPM Update vulnerable packages #150

Closed charliecarlton closed 3 months ago

charliecarlton commented 3 months ago

I pushed updates to package.json and npm-shrinkwrap. I think these are all the updates I can make without having to actively update and modify our react/typescript. In theory this should have been as simple as running 'npm audit fix' but i kept running into changes that were completely breaking the clientside code. Turns out it was because I was running 'npm update' which was updating some subdependency that caused the breakage. Turns out running 'npm update' without any of these version updates (and locking in all of the versions by removing the '^' on version numbers) causes the same breakage so that was a red herring. It's also possible i'm failing to understand all of the intricacies of how npm dependencies work.

Other notes:

  1. I removed fetch-mock entirely since I don't see it being used anywhere
  2. if you run 'npm audit' there are still a few vulnerabilities although they recommend rolling back major version numbers (e.g. pushing awesome-typescript-loader back to 3.1.3 and tap-spec back to 2.2.2). I can't imagine we'd want to do this so leaving as-is. I believe I fixed up all of the 'critical' issues at least.

For testing, I ran through the audit process for the state and some counties, keeping an eye out for breakages and didn't find any,