saleor / saleor-storefront

A GraphQL-powered, NextJs-based, PWA storefront for Saleor. IMPORTANT: This project is [DEPRECATED] in favor of saleor/react-storefront soon to become our default demo and storefront starter pack.
https://demo.saleor.io/
BSD 3-Clause "New" or "Revised" License
769 stars 674 forks source link

large number of packages and vulns #569

Closed rosscdh closed 4 years ago

rosscdh commented 4 years ago

What I'm trying to achieve

Good work on a nicely abstracted clean shop system!

I have a question about the number of packages and vulnerabilities

added 3514 packages from 1833 contributors and audited 948308 packages in 76.514s
found 8900 vulnerabilities (4 low, 7 moderate, 8887 high, 2 critical)

this seems rather high even for a node app?

Steps to reproduce the problem

  1. npm i

What I expected to happen

only necessary packages get installed and pref 0 high and 0 critical packages?

Screenshots

System information Operating system: Browser:

jpkempf commented 4 years ago

npm audit fix actually fixes almost all of them:

fixed 8896 of 8900 vulnerabilities in 948308 scanned packages
  2 vulnerabilities required manual review and could not be updated
  1 package update for 2 vulnerabilities involved breaking changes

the remaining three issues would need to be looked at individually but look like they're fixable as well (both criticals are in the same package, dompurify)

tboulogne commented 4 years ago

@jpkempf but do you get same error on:

npm run build

> saleor-site@0.7.0 build /home/manager/saleor-storefront
> webpack -p

/home/manager/saleor-storefront/node_modules/webpack-cli/bin/cli.js:244
                throw err;
                ^

TypeError: CleanWebpackPlugin is not a constructor
    at module.exports (/home/manager/saleor-storefront/config/webpack/config.base.js:84:5)
    at module.exports (/home/manager/saleor-storefront/webpack.config.js:17:16)
rosscdh commented 4 years ago

@tboulogne needs to be npm run-script build seems to work for me?

rosscdh commented 4 years ago

npm run build works too

tboulogne commented 4 years ago

@rosscdh none for me :-(

rosscdh commented 4 years ago

no i spoke to soon.. the actual build errors out

rosscdh commented 4 years ago
ERROR in /Users/ross/Desktop/saleor-demo/saleor-wagtail-demo/saleor-storefront/src/sitemap/fetchItems.ts
ERROR in /Users/ross/Desktop/saleor-demo/saleor-wagtail-demo/saleor-storefront/src/sitemap/fetchItems.ts(14,42):
TS2322: Type 'typeof fetch' is not assignable to type '{ (input: RequestInfo, init?: RequestInit): Promise<Response>; (input: RequestInfo, init?: RequestInit): Promise<Response>; }'.
  Types of parameters 'url' and 'input' are incompatible.
    Type 'RequestInfo' is not assignable to type 'import("/Users/ross/Desktop/saleor-demo/saleor-wagtail-demo/saleor-storefront/node_modules/@types/node-fetch/index").RequestInfo'.
      Type 'Request' is not assignable to type 'RequestInfo'.
        Type 'Request' is missing the following properties from type 'Request': context, compress, counter, follow, and 6 more.
Child html-webpack-plugin for "index.html":
rosscdh commented 4 years ago

tests are green

 PASS  src/@next/components/organisms/Overlay/test.tsx
 PASS  src/@next/components/atoms/Tile/test.tsx
 PASS  src/@next/components/atoms/DropdownMenu/test.tsx (6.151s)
 PASS  src/@next/components/atoms/DropdownSelect/test.tsx
 PASS  src/@next/components/molecules/ProductListHeader/test.tsx (8.554s)
 PASS  src/@next/components/molecules/TextField/test.tsx
 PASS  src/@next/components/molecules/FilterAttribute/test.tsx
 PASS  src/@next/components/molecules/FormFooter/test.tsx (8.708s)
 PASS  src/@next/components/molecules/CardHeader/test.tsx (8.77s)
 PASS  src/@next/components/molecules/AddressTile/test.tsx (8.895s)
 PASS  src/@next/components/atoms/Message/test.tsx
 PASS  src/@next/components/atoms/Button/test.tsx
 PASS  src/@next/components/molecules/AccountMenuMobile/test.tsx
 PASS  src/@next/components/molecules/InputSelect/test.tsx
 PASS  src/@next/components/atoms/InputLabel/test.tsx
 PASS  src/@next/components/atoms/RichTextContent/test.tsx
 PASS  src/@next/components/atoms/ErrorMessage/test.tsx
 PASS  src/@next/components/molecules/CreditCardTile/test.tsx
 PASS  src/@next/components/molecules/AccountMenu/test.tsx
 PASS  src/@next/components/molecules/OverlayItem/test.tsx
 PASS  src/@next/components/atoms/Address/test.tsx
 PASS  src/@next/components/molecules/AccountTabTiles/test.tsx
 PASS  src/@next/components/atoms/ButtonLink/test.tsx
 PASS  src/@next/components/molecules/CreditCardNumberWithIcon/test.tsx
 PASS  src/@next/components/containers/Money/test.tsx
 PASS  src/@next/components/atoms/Select/test.tsx
 PASS  src/@next/components/atoms/Attribute/test.tsx
 PASS  src/@next/components/atoms/Label/test.tsx
 PASS  src/@next/components/organisms/AddressFormModal/test.tsx
 PASS  src/@next/components/atoms/AddNewTile/test.tsx
 PASS  src/@next/components/atoms/CreditCardIcon/test.tsx
 PASS  src/@next/components/organisms/AddressGrid/test.tsx (5.367s)
 PASS  src/@next/components/organisms/CreditCardGrid/test.tsx
 PASS  src/@next/components/organisms/CreditCardForm/test.tsx (13.33s)
 PASS  src/@next/components/molecules/CachedImage/test.tsx
 PASS  src/@next/components/organisms/FilterSidebar/test.tsx
 PASS  src/@next/components/organisms/Modal/test.tsx (13.383s)
 PASS  src/@next/components/organisms/SizeOverlay/test.tsx
 PASS  src/@next/components/molecules/OrderTabel/test.tsx (13.439s)
 PASS  src/@next/components/organisms/SideNavbar/test.tsx
 PASS  src/@next/components/organisms/AddressForm/test.tsx (13.67s)
 PASS  src/@next/components/atoms/NavLink/test.tsx
 PASS  src/@next/components/atoms/Icon/test.tsx
 PASS  src/@next/components/organisms/TopNavbar/test.tsx
 PASS  .storybook/__tests__/storyshots.test.js (13.146s)

Test Suites: 45 passed, 45 total
Tests:       243 passed, 243 total
Snapshots:   92 passed, 92 total
Time:        28.103s
Ran all test suites.
tboulogne commented 4 years ago

@rosscdh explain your path please :-)

jpkempf commented 4 years ago

@tboulogne sorry, you're right—build errrors out for me as well. looks like a type error at first glance so should be fixable, but i haven't taken a deeper look yet.

tboulogne commented 4 years ago

@jpkempf build or start are gone !

rosscdh commented 4 years ago

@rosscdh explain your path please :-) ?

whats to explain?

  1. demo of saleor (pre PWA)
  2. demo of saleor (with PWA)
  3. currently integrating with wagtail
tboulogne commented 4 years ago

@rosscdh interesting in your point > currently integrating with wagtail we could discuss in PM if needed :-)

rosscdh commented 4 years ago

Certainly :) would be a pleasure

mateuszkula commented 4 years ago

Security and type issues are solved on master branch.

tboulogne commented 4 years ago

@mateuszkula thanks for update. Build start. with npm i, remain a vulnerability:

  1 vulnerability required manual review and could not be updated

Any idea ?

mateuszkula commented 4 years ago

@tboulogne https://www.npmjs.com/advisories/961

there is no fix yet for this one

tboulogne commented 4 years ago

@mateuszkula thx for update. a new one for you :) if you're ready : #570