Closed mejiaj closed 11 months ago
@mahoneycm
When running
npx snyk test
I'm receiving a third failure ondevelop
that persists on this branch.
This is after removing node_modules
and package-lock.json
?
I'm also receiving an error during
buildSass
on the following fulp tasks
compile
compileSass
updateUswds
// runscompile
mentioned above
Error: Cannot find module '../../uswds/package.json'
If I update the path to package.json I'm able to resolve it
- const pkg = require(`../../${uswdsPath}/package.json`).version; + const pkg = require(`../${uswdsPath}/package.json`).version;
Curious why I've received this error if you haven't!
You need a test project to run the Compile tasks. I've updated notes to point to uswds/uswds-sandbox at test-compile-60. Thanks for pointing that out.
@mejiaj This is looking good, but I had trouble removing the vulnerabilities when I installed this branch on
uswds-site
(notes below). It looks like you ran into a similar issue as described in your PR description. I am not sure if that is an issue with the install method or with the overrides themselves, just wanted to flag it.
- [x] Successfully completed all steps to confirm vulnerabilities in
develop
- [x] Successfully completed all steps to confirm 0 vulnerabilities and no snyk errors in this branch
- [x] Confirmed that all gulp tasks work when installed on a local uswds and uswds-compile project
- [x] Confirmed dependencies are now on their latest version (with the exception of
del
)- [x] Confirmed dependency table in the PR description matches updated dependencies
[ ] Confirmed this branch removes
unset-value
andglob-parent
snyk errors in uswds-site
- When I install the
jm-update-dependencies
branch in uswds-site, via bothnpm link
and installing the remote branch, it shows6 high severity vulnerabilities
and does not resolveglob-parent
orunset-value
snyk errors. I confirmed that @uswds/compile had the overrides in itspackage.json
.
@amyleadem I was able to reproduce the last note and not sure why that's happening. It might be an issue with npm audit
, but the main focus was handling the issues in this repo.
@mahoneycm can you do a clean install and test again?
@mejiaj same issue as before:
@mahoneycm thanks for that info! npm ci
has a dependency on existing package-lock that it's showing older vulnerabilities.
This command is similar to npm install, except it's meant to be used in automated environments such as test platforms, continuous integration, and deployment -- or any situation where you want to make sure you're doing a clean install of your dependencies.
Source: NPMJS on npm ci
→.
I wasn't able to reproduce this issue via npm install
in both node v16 and v18.
I've updated dependencies and run npm audit fix
in b37aee6.
And now we're back to zero vulnerabilities.
# 07/12/23 - After `npm audit fix`.
uswds-compile on jm-update-dependencies [+] via NPM v18.15.0
→ npm audit fix
changed 2 packages, and audited 513 packages in 478ms
39 packages are looking for funding
run `npm fund` for details
found 0 vulnerabilities
As of 09/07/23 there are still 0 vulnerabilities. This is ready for review & merge @thisisdano.
Moving additional dep updates to a new issue https://github.com/uswds/uswds-compile/issues/71.
On a fresh install where @uswds/compile
is the only dependency, I am finding that it hangs on caniuse-lite
. Then after about 15mins, my computer runs out of memory and crashes. I am on node 16.19.1
.
FWIW -- I downgraded to node 14.21.3
and got it working, I think 😊
@jeremyzilar could you try node 20? That's the latest LTS version.
This PR:
overrides
Closes #48.
Dependency updates
@uswds/uswds
uswds
autoprefixer
del
glob-parent
[⚠️ via overrides]gulp-replace
postcss
sass-embedded
unset-value
[⚠️ via overrides]How to test
Confirm errors
1. Checkout `git checkout develop` branch 1. Run `npm i && npm audit` 1. Confirm error message: `6 high severity vulnerabilities` 1. Run `npx snyk test` 1. Confirm error message: `found 2 issues, 33 vulnerable paths.` 1. Reset branch with `git checkout -- .`Confirm fix
1. Checkout branch `git checkout jm-update-dependencies` 1. Run `npm i && npm audit` 1. Confirm 0 vulnerabilities 1. Run snyk test `npx snyk test` 1. Confirm 0 vulnerabilities. > **Note** > I tried testing this on uswds-sandbox with mixed results. Installing via >npm link will show dependency fixes, but gulp scripts won't run (even if Node versions match). Installing via git branch won't show security fixes, but scripts **will** run.Test functionality:
test-compile-60
or use site.npm audit
.