dsriseah
commented
4 months ago Raw nodes on package updates from @Sakelun posted to Slack on May 21. This is the basis for the work in PR #9 Core Platform Update for Node v18
Packages Updated (Back-end)
-
adm-zip: Minor update (v0.4.14 to v0.5.10) Not updated -
ajv: Major update (v6.10.2 to v8.12.0) Not updated -
cookie-parser: Patch update (v1.4.4 to v1.4.6) Rationale: Dependency updates Changelog: https://github.com/expressjs/cookie-parser/blob/master/HISTORY.md -
debounce: Major update (v1.2.0 to v2.0.0) Not updatedAdds requirement: Node v18 Updates some devDependencies for testing (Does not need to be updated)
-
ejs: Major update (v2.7.1 to v3.1.9) Rationale: npm audit vulnerability (critical) / ejs template injection vulnerability https://github.com/advisories/GHSA-phwq-j96m-2c2qNotes: changelogs apparently stop being a thing after 2.7.4 ? Was able to dig up a CHANGELOG file that provided notes for v3.0.1 which has since been removed
v3.0.1 Removed require.extensions (@mde) Removed legacy preprocessor include (@mde) Removed support for EOL Nodes 4 and 6 (@mde)
-
express: Minor update (v4.17.1 to v4.18.2) Rationale: Required for Node v18 support Changelog: https://expressjs.com/en/changelog/4x.htmlRelevant changes
v4.17.2
- Bug fixes
- Supports Node 14.x v4.167.3
- Bug fixes v4.18.0
- Supports Node 18.x
- N/A (method not used): Cookie expirations don't accept invalid dates
- N/A (method not used): Cookie supports null/undefined as maxAge
- N/A (status code not used): Proper support for HTTP 205 responses
- N/A (method not used): Use http-errors for res.format() v4.18.1 ... v4.18.3
- Bug fixes
-
fs-extra: Major update (v8.1.0 to v11.2.0) Not updated Changelog: https://github.com/jprichardson/node-fs-extra/blob/master/CHANGELOG.mdFew possible breaking changes, but fundamentally doesn't need to be updated.
-
hashids: Major update (v1.2.2 to v2.3.0) Rationale: Required to avoid an invalid state loop that occurs in SystemShell.jsx Changelog: https://github.com/niieani/hashids.js/blob/master/CHANGELOG.mdMajor changes; rewritten in Typescript Breaking changes:
- when used from Node (without ESM enabled), you now need to require('hashids/cjs')
- Hashids now throws errors when being constructed with incorrect options (previously, it silently falled back to defaults)
-
ip: Major update (v1.1.5 to ~v2.0.1~ v1.1.9) Rationale: Node v18 support added in v1.1.6+; CVEs "fixed" in v1.1.9+ or 2.0.1+ Changelog: None provided; inferred from commit historyActive CVEs on this project and seems unmaintained: https://github.com/indutny/node-ip/issues/150
-
lokijs: Patch update (v1.5.7 to v1.5.12) Not updated Changelog: None maintained beyond 1.5.7 -
multer: Patch update (v1.4.2 to v1.4.5-lts.1) Rationale: Resolves DoS vulnerability and 1.4.2 is deprecated (https://github.com/expressjs/multer/issues/1254) Changelog: None maintained beyond 1.4.2Of consequence, this issue casts doubt on the level of Node support provided by moving to the 2.x series. The 1.4.5-lts.1 version does not refer to fs-temp as noted in the issue.
-
stacktrace-js: Patch update (v2.0.1 to v2.0.2) Rationale: Contains vulnerability fixes Changelogs: https://github.com/stacktracejs/stacktrace.js/blob/master/CHANGELOG.md (not maintained beyond 2.0.0) https://github.com/stacktracejs/stacktrace.js/releases/tag/v2.0.2Dependency update (to address a vulnerability in acorn@7.0.0) and sourcemap fix
-
superagent: Major update (v5.1.0 to ~v8.1.2~ v8.0.9) Rationale: Deprecated, authors indicate v7.1.5 or v8.0.0+ be used instead. v8.0.3 first mention of Node v18 support Changelog: https://github.com/ladjs/superagent/releasesv5.x to v6.x:
- N/A (Not opting into retry): Retry behavior is still opt-in, however we now have a more fine-grained list of status codes and error codes that we retry against (see updated docs) v6.x to v7.0:
- Browser behaviour changed to match Node when serializing
application/x-www-form-urlencoded, usingarrayFormat: 'indices'semantics ofqslibrary. (See: https://www.npmjs.com/package/qs#stringifying) v7.0 to v8.0: - N/A (Not used): ActiveXObject gone
-
tracer: Major update (v0.9.9 to v1.3.0) Rationale: Several security fixes contained within update path; only package updates otherwise Changelog: https://github.com/baryon/tracer?tab=readme-ov-file#history -
uuid: Major update (v3.3.3 to v9.0.1) Not updated Changelog: https://github.com/uuidjs/uuid/blob/main/CHANGELOG.mdSignificant Changes
v7.0.0:
- N/A (not using default method): Default method removed
- ESM/CJS split build introduced
- Insecure RNG not allowed in browsers v8.0.0:
- N/A (not using ESM): ESM only supports named exports
-
ws: Major update (v7.1.2 to ~v8.16.0~ v7.5.9) Rationale: NodeJS compatibility, important backports Changelog: https://github.com/websockets/ws/releasesSignificant Changes
v7.2.5: Fix compatibility with NodeJS:master v7.4.0: Provides access to HTTP GET request during socket 'connection' event; used in NetCreate-Auth/Access-Lite to propagate JWT user information between Express+WSS events v7.4.6: Regex DoS vulnerability fix v7.5.x: Backports (last on July 15th 2022)
Packages Updated (Web-pack Stack)
copy-webpack-plugin: (v4.5.4 to v12.0.2)html-webpack-plugin: (v3.2.0 to v5.6.0)mini-css-extract-plugin: Major update (v0.4.3 to v2.8.0)optimize-css-assets-webpack-plugin: Removeduglifyjs-webpack-plugin: Removedwebpack: (v4.41.0 to v5.90.3)webpack-cli: (v3.3.9 to v5.1.4)webpack-dev-middleware: (v3.7.2 to v7.0.0)webpack-dev-server: (v3.8.1 to v5.0.2)webpack-hot-middleware: (v2.25.0 to v2.26.1)
Packages Updated (Front-end)
@dagrejs/graphlib- MUI (v4 to v5)
bootstrapclassnamesclsxcolorcropperjselectronjqueryprop-typesreact,react-domreact-draggablereact-routerreact-router-configreact-router-domreact-router-proptypesreactstraprfdc(Really Fast Deep Clone); only used on FEstyled-components(introduced)webrtc-adapter: (removed: not used)
New fork of original MEME (2018) created. New Wiki, Issues, Projects, and Pull Requests for changes moving forward go in this repo. However, we can refer to stuff in the old WIKI as needed.
Running list of Issues