Open sniok opened 4 months ago
It'd be nice to also make sure we don't have any unused deps. Also there's a package.json in the root for some reason, which probably shouldn't be there
I edited the PR description to add the different places we need to update deps.
Also, added the security label, because sometimes updating a dependency requires a significant amount of changes. It can be there are no security patches for old versions, and then it may take like a week or even a month to do the required changes. In the meantime, there would be no easy way to apply security updates. Additionally, often old and deprecated versions don't get CVEs logged against them at all, and also fixes are made that never get a security issue reported.
We always have to update dependencies... but I think we should keep this issue open since we have quite a backlog. Let's set the number at least 90% of packages are updated before closing?
The frontend/ and headlamp-plugin dependencies can be done in the next release cycle.
When you run
npm install
there are a bunch of packages that are marked as deprecated.We should look into updating them. It's a security issue, because it's sometimes easier to update to a security fix that might not be available without spending a lot of work upgrading.
90% of packages are updated to the most recent version for:
npm outdated
npm outdated
go list -u -m all
npm outdated
Additional info