hashicorp / boundary-ui

Monorepo for Boundary UIs and addons.
http://boundary-ui.vercel.app
Other
89 stars 29 forks source link

chore: 🤖 upgrade to ws v8.17.1 to remove vulnerability #2451

Closed lisbet-alvarez closed 2 months ago

lisbet-alvarez commented 2 months ago

✅ Closes: https://hashicorp.atlassian.net/browse/ICU-14204

Description

NOTE: This PR is to be merged after ember-cli-mirage upgrade . I'll update this branch and run tests again just to make sure.

Fixes dependabot issue #149 Upgrade jest in rose addon which removed dependency that jsdom had on ws

Note: jest was originally added to fix peer dependency missing warning. Upgrading to v28 removed downstream dependency on ws. After verifying that worked. I upgraded to latest version.

Forcing socket.io-adapter to resolve to v2.5.5 caused the ws dependency to update to ~8.17.1 and that fixes the vulnerability.

Dependency paths: use yarn why <dependency name>

  1. ws@^7.4.6 -> jsdom -> jest-environment-jsdom -> jest-config -> @jest/core -> jest@^27.4.7 in rose addon
  2. ws@~8.11.0 -> socket.io-adapter -> socket.io -> testem -> ember-cli

How to Test

Tested these changes in boundary-ui-releases. Here is the run.

  1. Created a branch that follows a semver format (ex: 1.2.3-beta.testing) that branches off of this branch.
  2. In boundary-ui-releases use workflow dispatch for "Release" workflow and input boundary-ui branch name. Click "Run workflow"

To test locally:

  1. Run yarn install
  2. In ui/admin make sure app starts up properly with yarn start
  3. In ui/desktop make sure app starts up properly with yarn start:desktop

Checklist

vercel[bot] commented 2 months ago

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
boundary-ui ✅ Ready (Inspect) Visit Preview 💬 Add feedback Aug 23, 2024 8:02pm
boundary-ui-desktop ✅ Ready (Inspect) Visit Preview 💬 Add feedback Aug 23, 2024 8:02pm