danguera / security-strategy-essentials

https://lab.github.com/githubtraining/security-strategy-essentials
MIT License
0 stars 0 forks source link

Update the vulnerable dependency #1

Closed github-learning-lab[bot] closed 3 years ago

github-learning-lab[bot] commented 3 years ago

Update the dependency

Next, we'll go through the GitHub Flow to make some changes. If you aren't sure how to do this, try the Introduction to GitHub course and then come back to give it another try.

Note: For production code, it's a good idea to do some integration testing to make sure that the upgraded package works with your code. Good unit tests and Continuous Integration (CI) will help you update with confidence. The Learning Lab course GitHub Actions: Continuous Integration can teach you how to set up CI!

Step 4: Updating dependency versions

Now that you know the recommended version, it's time to edit the package.json file. You'll upgrade the package to a non-vulnerable version.

:keyboard: Activity: Update the package.json file

  1. Within this pull request, go to Files changed.
  2. Click the ellipsis (...) in the right upper corner and click Edit file to edit the package.json file.
  3. Fix the vulnerability by updating to the latest version of the dependency that you took note of earlier, version 2.6.9 of debug.
  4. Scroll down, and commit your change.
github-learning-lab[bot] commented 3 years ago

Uh oh @danguera, something went wrong! I wasn't expecting this change. Please go over the instructions again and make sure you've followed them as exactly as you can.

If this is a pull request, so you can keep editing the file here. Keep trying, you'll get there!

If you would like help troubleshooting, create a post on the GitHub Community board. You might also want to search for your issue to see if other people have resolved it in the past.

github-learning-lab[bot] commented 3 years ago

Step 3: Merge this pull request

Great job, @danguera, your pull request looks good. Thank you for fixing the vulnerable dependency!

Note: You might notice that this repository has a package.json file, but no package-lock.json file. In production code it's a good idea to have both files to avoid conflicts resolving the proper version of a dependency. For simplicity, we'll use only package.json, but GitHub monitors both files in addition to the gamut of supported languages and packages

:keyboard: Activity: Merge

  1. Merge this pull request.
github-learning-lab[bot] commented 3 years ago

Nice job merging @danguera. Go ahead and delete the branch.


Let's see how we can automate this process. Navigate to your next issue.