Open JennaySDavis opened 6 months ago
We cannot resolve the PostCSS Dependabot issues, linked below, because our systems rely on uswds-compile. We currently have the latest version(1.1.0) installed, which depends on the vulnerable version of PostCSS. The USWSDS package should be updated first, or we should move away from using it, but in the meantime, we will not be able to upgrade to a safe version.
In addition, Astro v2 depends on a vulnerable version of PostCSS. We would need to migrate to a newer version, requiring an overhaul since we are two full versions behind. We have spent about a week attempting this upgrade to Astro v4.
We do not currently have an accurate estimate of how long it will take to upgrade Astro as there are several unknowns around what is now preventing the upgraded version from working. Regardless, we will still need to resolve the dependency on USWDS-Compile before this vulnerability can be properly addressed.
Updated Astro from 2 to 4. The postCSS version that has the vulnerability is still referenced in the application, but is due to the USWDS library the application is using. This will be resolve once USWDS library is updated to point to a new version of postCSS.
#471 Acceptance Criteria
Pass/Fail | Description |
---|---|
Pass | Full Regression Testing of the Training App |
Comments/Additional Notes N/A
ADA Compliance (Automated scan via Chrome Lighthouse)
Criteria | Score |
---|---|
Performance | 99 |
Accessibility | 100 |
Best Practices | 100 |
Passed 06/07/2024 - JSD
No issues detected, moving to done, thank you!
Update from Astro 2.0 to 4.0