Chore / Maintenance 2024 q2

MelissaDTH commented 2 weeks ago

Maintenance 2024 Q2

At Videodock, we conduct quarterly maintenance to address any security risks and proactively upgrade the dependencies. This PR accomplishes that, with notable details outlined below.

Prepare

[x] Pull main, run yarn
[x] Test dev server and release build

Update dependencies

[x] Run yarn upgrade and test dev server
[x] Fix critical issues (must)
[x] Fix high risk issues (should)
[ ] Fix moderate risk issues
[x] Run $ npx syncyarnlock -skgl to sync the yarn.lock file to the package.json
[x] Run linting, unit tests, e2e tests
[x] Test dev server and release build
[x] Check if project needs modernisation (i.e. missing readme, dependabot config)
[x] Test dev server and release build
[x] Rebase dependabot PR's onto this PR, see if still needed, merge and monkey test

Clean up

[x] Remove unused branches and PR's
[x] Log skipped or notable updates in PR description

After merge

Rebase and check left over dependabot issues (+ monkey test dev/release)
Make new version
Push build to acc/stg
Notify PM if specific features need extra testing

Notable updates

1. @types/reflect-metadata is removed

reflect-metadata provides its own type definitions, so we don't need to install @types/reflect-metadata anymore

2. ignoreDependencies is removed in `knip.config.ts`

After this update, the knip package does now sees that eslint-config-jwp exists, so there's no need to add this to ignoreDependencies anymore

3. Security Issues Summary

Currently, these 4 issues originate from the @inplayer-org/inplayer.js package, which cannot be updated because we are already on the latest version, see an overview here:

Severity	Issue Description	Package	Dependency Path
High	ws affected by a DoS when handling a request with many HTTP headers	ws	@jwp/ott-common > @inplayer-org/inplayer.js > aws-iot-device-sdk > websocket-stream > ws
High	ws affected by a DoS when handling a request with many HTTP headers	ws	@jwp/ott-web > @jwp/ott-common > @inplayer-org/inplayer.js > aws-iot-device-sdk > websocket-stream > ws
Moderate	Axios Cross-Site Request Forgery Vulnerability	axios	@jwp/ott-common > @inplayer-org/inplayer.js > axios
Moderate	Axios Cross-Site Request Forgery Vulnerability	axios	@jwp/ott-web > @jwp/ott-common > @inplayer-org/inplayer.js > axios

Steps completed:

According to our definition of done, I have completed the following steps:

[x] Acceptance criteria met
[ ] Unit tests added
[ ] Docs updated (including config and env variables)
[ ] Translations added
[x] UX tested
[x] Browsers / platforms tested
[x] Rebased & ready to merge without conflicts
[x] Reviewed own code

github-actions[bot] commented 2 weeks ago

Visit the preview URL for this PR (updated for commit b2dde68):

https://ottwebapp--pr560-chore-maintenance-20-bxuibuga.web.app

_{(expires Sat, 20 Jul 2024 08:37:55 GMT)}

_{🔥 via Firebase Hosting GitHub Action 🌎}

_{Sign: c198f8a3a199ba8747819f7f1e45cf602b777529}

royschut commented 2 weeks ago

Maybe we can syncyarnlock so that package.json aligns with the upgrade. @MelissaDTH

royschut commented 2 weeks ago

If we want to be even more safe, we could add resolutions for the leftover risks:

  "resolutions": {
    "axios": "^0.28.0",
    "ws": "^8.17.1"
  }

jwplayer / ott-web-app