search

infinitered / solidarity

Solidarity is an environment checker for project dependencies across multiple machines.
https://infinitered.github.io/solidarity/
MIT License
640 stars 49 forks source link

WIP - Fixing Gluegun and other dep upgrades #235

Closed jamonholmgren closed 4 years ago

jamonholmgren commented 5 years ago

@GantMan I started working through this but ran out of time. Can you carry the ball forward from here? I've made some progress, but am still getting test failures.

avaGitHubBot commented 5 years ago
Warnings
:warning: Changes were made to package.json, but not to package-lock.json - Perhaps you need to run `npm install`?

Generated by :no_entry_sign: dangerJS

GantMan commented 5 years ago

Let's hold on this. I have a major PR in progress. It breaks tons of tests an would significantly affect this work. Sorry :( I wish it were done, but it's a pain so I'm taking it slower.

jamonholmgren commented 5 years ago

Can you bring Gluegun up to latest while you're at it, @GantMan ? I'd love to be able to use Solidarity to test new Gluegun releases.

GantMan commented 5 years ago

@jamonholmgren if you merge or approve and I merge #236 then you can jump back into this one.

derekgates commented 4 years ago

Any updates on merging this PR or #249 ?

I look forward to using this system at work but the audit problems prevent this.

  Low             Prototype Pollution
  Package         lodash
  Patched in      >=4.17.5
  Dependency of   solidarity
  Path            solidarity > gluegun > cli-table2 > lodash
  More info       https://npmjs.com/advisories/577

  High            Prototype Pollution
  Package         lodash
  Patched in      >=4.17.11
  Dependency of   solidarity
  Path            solidarity > gluegun > cli-table2 > lodash
  More info       https://npmjs.com/advisories/782

  High            Prototype Pollution
  Package         lodash
  Patched in      >=4.17.12
  Dependency of   solidarity
  Path            solidarity > gluegun > cli-table2 > lodash
  More info       https://npmjs.com/advisories/1065

  Moderate        Denial of Service
  Package         axios
  Patched in      >=0.18.1
  Dependency of   solidarity
  Path            solidarity > gluegun > apisauce > axios
  More info       https://npmjs.com/advisories/880

  High            Prototype Pollution
  Package         set-value
  Patched in      >=2.0.1 <3.0.0 || >=3.0.1
  Dependency of   solidarity
  Path            solidarity > gluegun > enquirer > prompt-question >
                  prompt-choices > set-value
  More info       https://npmjs.com/advisories/1012

  High            Prototype Pollution
  Package         set-value
  Patched in      >=2.0.1 <3.0.0 || >=3.0.1
  Dependency of   solidarity
  Path            solidarity > gluegun > enquirer > set-value
  More info       https://npmjs.com/advisories/1012

  High            Prototype Pollution
  Package         set-value
  Patched in      >=2.0.1 <3.0.0 || >=3.0.1
  Dependency of   solidarity
  Path            solidarity > gluegun > prompt-autocompletion > prompt-base >
                  prompt-question > prompt-choices > set-value
  More info       https://npmjs.com/advisories/1012

  High            Prototype Pollution
  Package         set-value
  Patched in      >=2.0.1 <3.0.0 || >=3.0.1
  Dependency of   solidarity
  Path            solidarity > gluegun > prompt-autocompletion >
                  prompt-choices > set-value
  More info       https://npmjs.com/advisories/1012

If this PR is still desired, would it be helpful to resolve the conflicts and rebase/merge this again? I can certainly help with that!

jamonholmgren commented 4 years ago

Closing the loop, we are up to Gluegun 4.2.0 (latest as of now is 4.3.1).

https://github.com/infinitered/solidarity/blob/7d36c90dafafe2a27b29f411dc85f9ca129a678b/package.json#L41