Open arbreton opened 5 years ago
I tried to upgrade mongodb and mongoose on feather, but it's not compatible with feathersjs packages. I think upgrade them together.
Most of critical and high vulnerabilities are for obsolete packages used in our smart contract related packages (lpp-campaign, liquidpledging, etc.). Specially bridge repo is one of them which needs to its package be upgraded. @arbreton Do you have any idea about running bridge locally to test bridge repo? I tried once but I couldn't.
Big move forward on mongoDB... might be easier now
define a new NPM name space for Giveth....
So we can upload our packages there...
@aminlatifi @GriffGreen you have created a new Giveth NPM namesapce based on chats in Telegram. Does this measure help us to close this issue?
SOOO MUCH WORK!!
SOO MUCH TECHNICAL DEBT!
Claim Bankruptcy...
Close this outright?
@mdehghani Let's start with repos used here: https://github.com/Giveth/giveth-dapp/blob/develop/src/lib/blockchain/getNetwork.js
As discussed upgrade repos dependencies and test new versions together on feathers and giveth-dapp
https://github.com/Giveth/lpp-campaign https://github.com/Giveth/liquidpledging https://github.com/Giveth/lpp-milestone // I am not sure where this one is used https://github.com/Giveth/lpp-milestones https://github.com/Giveth/lpp-capped-milestone https://github.com/Giveth/giveth-bridge
Some dependencies the org repos might be vulnerable to certain attacks and needs to be reviewed