search

tl-its-umich-edu / canvas-course-manager-next

Canvas Course Manager Next: A redesign of the existing CCM application. It extends Canvas features, makes cumbersome features easier to use, and adds new features.
9 stars 10 forks source link

Backend dependency update #462

Closed pushyamig closed 2 weeks ago

pushyamig commented 1 month ago

Fixes some of the issue in the https://github.com/tl-its-umich-edu/canvas-course-manager-next/security/dependabot

mysql2 is the one with critical severity, we have a direct dependency and ltijs-sequelize also uses this pks still using the older with critical severity. I did not want to force update since it might break thinks. So we have no choice to accept the risk until library owner updates it. Since the backend rewrite is coming I felt we could accept the risk

I have done some mapping of the Dependabot alert we have to what to update our end

Not all package could be updated that were in either in high|moderate severity category since the corresponding pkg owners did not update it. Since we have some many packages it make the dependency process a bit tetious.

I have used ncu package for checking the package update and vulnerability.

npm audit report states that either no fix available or fix available vianpm audit fix --force` so i opted to keep as it is and accept risk at this point

The Github Action build is successful from my local branch that I am opening this PR

Test Plan: High level integration testing of various component of CCM

jaydonkrooss commented 2 weeks ago

Looks good to me. I tested a couple of ccm modules that use APIs.