chore: 🤖 audit most recent resolutions

[lisbet-alvarez]

Description

Resolutions Audited:

• loader-utils
  • Upgraded babel-loader to 9.2.1 which removes loader-utils dep.
  • Forced babel-loader version ^8.0.6 to resolve to 8.4.1 which uses loader-utils patched version
    • babel-loader is a dependency of ember-auto-import
• minimatch
  • Resolution not needed anymore since all occurrences resolved to patched version
• prismjs
  • Was not needed since all versions resolved to 1.27.0 which is patched
• underscore -> nomnom -> jsonlint
  • jsonlint seems unmaintained we should replace but resolution still needed for now
• trim
  • Resolution not needed & dependency actually not needed anywhere (no matches)
• micromatch
  • Resolution still needed
  • micromatch@^3.1.4 -> anymatch@^2.0.0 -> sane@^4.0.0 -> broccoli@^3.5.2 -> ember-cli@^5.12.0
  • micromatch@^3.1.4 -> sane@^4.0.0 -> broccoli@^3.5.2 -> ember-cli@^5.12.0
  • micromatch@^3.1.4 -> find-yarn-workspace-root@^1.2.1 -> ember-cli-dependency-checker@^3.3.2
• send
  • Resolution not needed since forcing express to recently released version fixes it.

How to Test

boundary-ui-releases: test run

Checklist

• [ ] I have added before and after screenshots for UI changes
• [ ] I have added JSON response output for API changes
• [ ] I have added steps to reproduce and test for bug fixes in the description
• [ ] I have commented on my code, particularly in hard-to-understand areas
• [X] My changes generate no new warnings
• [ ] I have added tests that prove my fix is effective or that my feature works

[vercel[bot]]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
boundary-ui	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Oct 28, 2024 11:17pm
boundary-ui-desktop	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Oct 28, 2024 11:17pm

[calcaide]

I am not understanding from the PR description underscore -> nomnom -> jsonlint.

If I run yarn why jsonlint the only result I get is from Rose, and we are actually resolving jsonlint as dependency.

So I am confuse by your comment. Are you saying that underscore contains nommon which contains jsonlint? the resolution we have is the other way around **/nomnom/underscore, can you please elaborate a bit? thank you

[calcaide]

I follow up the breadcrumbs with micromatch, as despite we still need it today, if we perform an ember-cli upgrade, most likely we will not need it anymore.

After deleting the resolution of micromatch, reinstalling deps and running yarn why micromatch, you can see most deps that use micromatch are using a version with no vulnerabilities 4.0.8.

The only 2 deps that bring micromatch versions with security vulnerabilities, are dependencies from ember-cli. I am not 100% sure, since needs to be checked, but I bet upgrading ember-cli can solve this issue and the resolutions will not be need anymore.

I am not mentioning this to do perform that work now, but to audit with breadcrumbs, so we can asses how to get rid of the resolution in the future.

[lisbet-alvarez]

I am not understanding from the PR description underscore -> nomnom -> jsonlint.

If I run yarn why jsonlint the only result I get is from Rose, and we are actually resolving jsonlint as dependency.

So I am confuse by your comment. Are you saying that underscore contains nommon which contains jsonlint? the resolution we have is the other way around **/nomnom/underscore, can you please elaborate a bit? thank you

i write the dependencies backwards because its easier for me to understand that way, but it means that jsonlint has nomnom as a dep and nomnom has underscore as a dep. Apologies for the confusion.

[calcaide]

I am not understanding from the PR description underscore -> nomnom -> jsonlint. If I run yarn why jsonlint the only result I get is from Rose, and we are actually resolving jsonlint as dependency. So I am confuse by your comment. Are you saying that underscore contains nommon which contains jsonlint? the resolution we have is the other way around **/nomnom/underscore, can you please elaborate a bit? thank you

i write the dependencies backwards because its easier for me to understand that way, but it means that jsonlint has nomnom as a dep and nomnom has underscore as a dep. Apologies for the confusion.

Ahh gotcha! All good 😉