uswds / uswds-compile

Simple Gulp 5 functions for copying USWDS static assets and transforming USWDS Sass into browser-readable CSS.
Other
20 stars 13 forks source link

Update dependencies & add Snyk #60

Closed mejiaj closed 11 months ago

mejiaj commented 1 year ago

This PR:

Closes #48.

Dependency updates

Dependency Old 25da089 [04/27/23] b37aee6 [07/12/23]
@uswds/uswds 3.3.0 3.4.1 3.5.0
uswds 2.13.3 2.14.0 -
autoprefixer 10.4.13 10.4.14 -
del 6.0.0 6.1.1 -
glob-parent [⚠️ via overrides] - 6.0.2 -
gulp-replace 1.1.3 1.1.4 -
postcss 8.4.19 8.4.23 8.4.25
sass-embedded 1.56.1 1.62.0 1.63.6
unset-value [⚠️ via overrides] - 2.0.1 -

Note There is an additional update for del@7, but that only supports ESM.

How to test

Confirm errors

1. Checkout `git checkout develop` branch 1. Run `npm i && npm audit` 1. Confirm error message: `6 high severity vulnerabilities` 1. Run `npx snyk test` 1. Confirm error message: `found 2 issues, 33 vulnerable paths.` 1. Reset branch with `git checkout -- .`
Confirm fix

1. Checkout branch `git checkout jm-update-dependencies` 1. Run `npm i && npm audit` 1. Confirm 0 vulnerabilities 1. Run snyk test `npx snyk test` 1. Confirm 0 vulnerabilities. > **Note** > I tried testing this on uswds-sandbox with mixed results. Installing via >npm link will show dependency fixes, but gulp scripts won't run (even if Node versions match). Installing via git branch won't show security fixes, but scripts **will** run.

Test functionality:

mejiaj commented 1 year ago

@mahoneycm

When running npx snyk test I'm receiving a third failure on develop that persists on this branch.

image

This is after removing node_modules and package-lock.json?

How I tested

```bash uswds-compile on  jm-update-dependencies via  v18.15.0 via 💎 v2.7.2 ➜ rm -rf node_modules package-lock.json npm % uswds-compile on  jm-update-dependencies [✘] via  v18.15.0 via 💎 v2.7.2 ➜ npm i npm WARN deprecated source-map-url@0.4.1: See https://github.com/lydell/source-map-url#deprecated npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated npm WARN deprecated source-map-resolve@0.6.0: See https://github.com/lydell/source-map-resolve#deprecated npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated npm WARN deprecated source-map-resolve@0.5.3: See https://github.com/lydell/source-map-resolve#deprecated npm WARN deprecated fsevents@1.2.13: The v1 package contains DANGEROUS / INSECURE binaries. Upgrade to safe fsevents v2 npm WARN deprecated chokidar@2.1.8: Chokidar 2 does not receive security updates since 2019. Upgrade to chokidar 3 with 15x fewer dependencies added 512 packages, and audited 513 packages in 13s 45 packages are looking for funding run `npm fund` for details found 0 vulnerabilities uswds-compile on  jm-update-dependencies [!1] via  v18.15.0 via 💎 v2.7.2 took 13s ➜ npx snyk test Testing /Users/jmejia-a/web/uswds-compile... Organization: uswds Package manager: npm Target file: package-lock.json Project name: @uswds/compile Open source: no Project path: /Users/jmejia-a/web/uswds-compile Licenses: enabled ✔ Tested 415 dependencies for known issues, no vulnerable paths found. Next steps: - Run `snyk monitor` to be notified about new related vulnerabilities. - Run `snyk test` as part of your CI/test. ```

I'm also receiving an error during buildSass on the following fulp tasks

  • compile
  • compileSass
  • updateUswds // runs compile mentioned above

Error: Cannot find module '../../uswds/package.json'

image

If I update the path to package.json I'm able to resolve it

-  const pkg = require(`../../${uswdsPath}/package.json`).version;
+  const pkg = require(`../${uswdsPath}/package.json`).version; 

Curious why I've received this error if you haven't!

You need a test project to run the Compile tasks. I've updated notes to point to uswds/uswds-sandbox at test-compile-60. Thanks for pointing that out.

mejiaj commented 1 year ago

@mejiaj This is looking good, but I had trouble removing the vulnerabilities when I installed this branch on uswds-site (notes below). It looks like you ran into a similar issue as described in your PR description. I am not sure if that is an issue with the install method or with the overrides themselves, just wanted to flag it.

  • [x] Successfully completed all steps to confirm vulnerabilities in develop
  • [x] Successfully completed all steps to confirm 0 vulnerabilities and no snyk errors in this branch
  • [x] Confirmed that all gulp tasks work when installed on a local uswds and uswds-compile project
  • [x] Confirmed dependencies are now on their latest version (with the exception of del)
  • [x] Confirmed dependency table in the PR description matches updated dependencies
  • [ ] Confirmed this branch removes unset-value and glob-parent snyk errors in uswds-site

    • When I install the jm-update-dependencies branch in uswds-site, via both npm link and installing the remote branch, it shows 6 high severity vulnerabilities and does not resolve glob-parent or unset-value snyk errors. I confirmed that @uswds/compile had the overrides in its package.json.

@amyleadem I was able to reproduce the last note and not sure why that's happening. It might be an issue with npm audit, but the main focus was handling the issues in this repo.

mejiaj commented 1 year ago

@mahoneycm can you do a clean install and test again?

mahoneycm commented 1 year ago

@mejiaj same issue as before:

image

mejiaj commented 1 year ago

@mahoneycm thanks for that info! npm ci has a dependency on existing package-lock that it's showing older vulnerabilities.

This command is similar to npm install, except it's meant to be used in automated environments such as test platforms, continuous integration, and deployment -- or any situation where you want to make sure you're doing a clean install of your dependencies.

Source: NPMJS on npm ci.


I wasn't able to reproduce this issue via npm install in both node v16 and v18.

mejiaj commented 1 year ago

I've updated dependencies and run npm audit fix in b37aee6.

And now we're back to zero vulnerabilities.

# 07/12/23 - After `npm audit fix`.
uswds-compile on jm-update-dependencies [+] via NPM v18.15.0 
→ npm audit fix

changed 2 packages, and audited 513 packages in 478ms

39 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities
mejiaj commented 1 year ago

As of 09/07/23 there are still 0 vulnerabilities. This is ready for review & merge @thisisdano.


Moving additional dep updates to a new issue https://github.com/uswds/uswds-compile/issues/71.

jeremyzilar commented 1 year ago

On a fresh install where @uswds/compile is the only dependency, I am finding that it hangs on caniuse-lite. Then after about 15mins, my computer runs out of memory and crashes. I am on node 16.19.1.

image
jeremyzilar commented 1 year ago

FWIW -- I downgraded to node 14.21.3 and got it working, I think 😊

mejiaj commented 11 months ago

@jeremyzilar could you try node 20? That's the latest LTS version.