Do periodic security update

[matuzalemsteles]

Well, apparently we've started getting PRs from dependabot, as we have a policy of not merging these PRs but looking more carefully at the dependencies and checking if it makes sense and instead of manipulating yarn.lock to update the root dependency.

This issue has the same effect as the issue that was created in the project https://github.com/liferay/liferay-frontend-projects/issues/112.

• Security implications of dependencies

[matuzalemsteles]

• [ ] #4453 tmpl
• [ ] #4454 ws
• [ ] #4455 y18n
• [ ] #4456 path-parse
• [ ] #4457 browserslist
• [ ] #4458 lodash

[julien]

@matuzalemsteles

I verified the changes in these dependencies and the only problem I see is that the "react-docgen" directory is something we add manually to the repository. Last time we updated it, was here.

This seems like a manual process so I'm not sure what we want to do about these dependabot alerts. W e could speak about it during our next meeting (on Thursday 12/2) to see if it sill makes sense keeping this "clayui.com" directory in the repository or moving it to somewhere else - if we keep on using something like this we're likely to get dependabot alerts once in a while, so we should decide to have an official way of closing them. (We can also disable dependabot)

[matuzalemsteles]

Hey @julien, yeah we keep it local due to a bug we had to fix locally I don't remember why this fix wasn't sent to react-docgen hoping to get into master but anyway i think we can disregard the dependabot alerts for react-docgen by not affect the components or the user on clayui.com

Usually, we will try to follow the policy that was created and keep this issue open to decide what to do with the alerts that appear, ideally it would be interesting to keep dependabot on despite being quite annoying at times, but at least in our repository it seems to be rare.

About react-docgen, ideally we want to remove this for some other #4130.

[julien]

@matuzalemsteles thanks for the clarification. Let's see if we get time to prioritize work on #4130, For the moment I think we can safely ignore this.

[matuzalemsteles]

• [ ] #4679 url-parse
• [ ] #4678 ajv

Hey @julien I'm closing the PRs and adding the reference here so that we can track them.

[julien]

@matuzalemsteles OK

[julien]

@matuzalemsteles adding these

• [ ] #4705 prismjs
• [ ] #4706 url-parse

[matuzalemsteles]

• [ ] #4770 ansi-regex
• [ ] #4771 minimist

[matuzalemsteles]

• [ ] #4798 moment

[matuzalemsteles]

• [ ] #4902 gatsby-plugin-mdx
• [ ] #4901 devcert

[matuzalemsteles]

• [ ] #4974 parse-url

[matuzalemsteles]

• [ ] #4982 moment

[matuzalemsteles]

• [ ] #5095 parse-url

[matuzalemsteles]

• [ ] #5190 socket.io-parser

[matuzalemsteles]

• [ ] #5216 minimatch

[matuzalemsteles]

• [ ] #5228 decode-uri-component
• [ ] #5227 decode-uri-component

[matuzalemsteles]

• [ ] #5240 bump

[matuzalemsteles]

• [ ] #5244 express
• [ ] #5245 qs

[matuzalemsteles]

• [ ] #5294 gatsby-transformer-remark
• [ ] #5285 json5

I should update this next week.

[matuzalemsteles]

• [ ] #5315 json5

[matuzalemsteles]

• [ ] #5346 http-cache-semantics

[matuzalemsteles]

• [ ] #5422 webpack

[matuzalemsteles]

• [ ] #5423 @sideway/formula

[matuzalemsteles]

• [ ] #5483 nunjucks