search

uswds / uswds-compile

Simple Gulp 4 functions for copying USWDS static assets and transforming USWDS Sass into browser-readable CSS.
Other
21 stars 12 forks source link

USWDS-Compile - Dependencies: POAM March '24 #89

Closed mahoneycm closed 5 months ago

mahoneycm commented 5 months ago

Summary

Monthly POAM checks and dependency vulnerability resolution.

Before: 4 vulnerabilities (1 low, 3 moderate) After: 3 moderate severity vulnerabilities

Updates USWDS package to 3.8.0

Related issue

uswds/uswds#5801

Closes https://github.com/uswds/uswds-compile/security/dependabot/10

Problem statement

Various dependencies were causing medium and low security vulnerabilities.

Solution

Bump dependencies with resolving updates.

Updated dependencies

Name Old version New version
autoprefixer 10.4.16 10.4.18
postcss 8.4.32 8.4.35
sass-embedded 1.69.5 1.71.1
@uswds/uswds ^3.7.1 3.8.0 [^1]

[^1]: Note: Pinned the USWDS dependency to match the updating process on USWDS-Site. I figured this grants us more control over breaking changes in the future.

Testing and review

  1. Checkout test repo
  2. Run npm install.
  3. Run through gulp commands to confirm they run without error.
  4. Run npm start and confirm build completes without error

Gulp commands

    "uswds:buildDist": "./build.sh",
    "uswds:buildSass": "gulp buildSass",
    "uswds:compileIcons": "gulp compileIcons",
    "uswds:copyAssets": "gulp copyAssets",
    "uswds:copyFonts": "gulp copyFonts",
    "uswds:copyImages": "gulp copyImages",
    "uswds:copyJS": "gulp copyJS",
mahoneycm commented 5 months ago

@mejiaj went ahead and updated patch and minor versions as well as updated to uswds: 3.8.0.

Tested by installing on sandbox and all compile commands work like a charm with no file changes