This PR updated most of the packages that have critical vulnerable modules for both API and client. and related to the issue #59
Specific Updates:
TypeOrm:
a. ConnectionOptions updated to DataSourceOptions and removed cli section in the database.ts
b. createConnection updated to DataSource and needed to use new DataSource('DataSourceOptions').initialize() to
create a connection to the Database
c. migration: run and migration: generated are updated, the specific command is updated in the documentation
Minio: Updated from 7.0.18 to 8.0.0 to have better performance and more advanced data protection
Multer: Updated from 1.4.2 to 1.4.5-lts.1 to avoid high vulnerability of the dependency package
Webpack: For this package update, I used the npm audit fix to auto-update versions, for the specific update it's mainly in the webpack.config.js file, it updated contentBase to static and nodeEnv in the optimization. and fixed
Error: error:0308010C: digital envelope routines::unsupported
issue where Node must downgrade to 16 in order to run locally.
Types of changes
What types of changes does your code introduce?
Put an x in the boxes that apply
[ ] Bugfix (non-breaking change which fixes an issue)
[ ] New feature (non-breaking change which adds functionality)
[x] Breaking change (fix or feature that would cause existing functionality to not work as expected)
[x] Documentation Update (if none of the other choices apply)
Checklist
Put an x in the boxes that apply. You can also fill these out after creating the PR. If you're unsure about any of
them, don't hesitate to ask. This is simply a reminder of what we are going to look for before merging your code.
[x] My changeset covers only what is described above (no extraneous changes)
[x] Lint and unit tests pass locally with my changes
[x] I have added tests that prove my fix is effective or that my feature works
[x] I have added necessary documentation (if appropriate)
Further comments
The client package now has 0 vulnerabilities
The API Still has 2 moderate severity vulnerabilities due to the passport-saml. The current package passport-saml is deprecated, the new one is @node-saml/passport-saml. However, the current config does not fit in at all, the whole saml-config file needs to be modified, but I have no idea where to start. Therefore, I left it for others to update this.
After Updated All of the packages, I tested API by npm run test, they all passed except one grade 200 OK test, but this is the old issue before updating packages. I also tested the whole program by running docker compose up and separating run API and client in the local environment, both are functional.
Proposed changes
This PR updated most of the packages that have critical vulnerable modules for both API and client. and related to the issue #59 Specific Updates:
new DataSource('DataSourceOptions').initialize()
to create a connection to the Database c.migration: run
andmigration: generated
are updated, the specific command is updated in the documentationnpm audit fix
to auto-update versions, for the specific update it's mainly in the webpack.config.js file, it updated contentBase to static and nodeEnv in the optimization. and fixedissue where Node must downgrade to 16 in order to run locally.
Types of changes
What types of changes does your code introduce? Put an
x
in the boxes that applyChecklist
Put an
x
in the boxes that apply. You can also fill these out after creating the PR. If you're unsure about any of them, don't hesitate to ask. This is simply a reminder of what we are going to look for before merging your code.Further comments
The client package now has 0 vulnerabilities The API Still has 2 moderate severity vulnerabilities due to the passport-saml. The current package passport-saml is deprecated, the new one is @node-saml/passport-saml. However, the current config does not fit in at all, the whole saml-config file needs to be modified, but I have no idea where to start. Therefore, I left it for others to update this.
After Updated All of the packages, I tested API by npm run test, they all passed except one grade 200 OK test, but this is the old issue before updating packages. I also tested the whole program by running
docker compose up
and separating run API and client in the local environment, both are functional.