search

ethereum / sourcify

Decentralized Solidity contract source code verification service
https://sourcify.dev
MIT License
770 stars 378 forks source link

Upgrade vulnerable dependencies #1431

Closed manuelwedler closed 1 month ago

manuelwedler commented 2 months ago

(After #1428 )

With npm audit, you can see there are a lot of vulnerable dependencies. They should be upgraded. As part of this issue, we should take a look into tools for automatically managing dependencies, like dependabot.

manuelwedler commented 2 months ago

I now remember the tool I used in another project: Renovate (https://docs.renovatebot.com/) In my experience, it was much nicer to work with it than with Dependabot. It was better/easier configurable than dependabot, and wouldn't create one PR for each dependency.

kuzdogan commented 2 months ago

Cool :) Feel free to integrate if you think it's better

manuelwedler commented 1 month ago

Production vulnerabilities are fixed with these commits: https://github.com/ethereum/sourcify/compare/513b19bf42b3661721b306299ed957f9c2181f35...38192b7d46f70a951db19f4c3f95d53166653a0b

npm still shows some vulnerabilities. But these are due to dev dependencies which are no problem. You can use npm audit --omit=dev. Regarding Renovate, I am still waiting for getting it added to our Repo by EF dev ops: https://github.com/ethereum/devops/issues/1476

manuelwedler commented 1 month ago

Renovate is now running on the project. This is done.