Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Potential security issues in outdated dependencies #746

Closed
arm4b opened this issue Apr 22, 2020 · 9 comments
Closed

Potential security issues in outdated dependencies #746

arm4b opened this issue Apr 22, 2020 · 9 comments

Comments

@arm4b
Copy link
Member

arm4b commented Apr 22, 2020

Warning! st2web needs help and React/UI maintainer!

st2web has a lot of security warnings in its outdated npm dependencies located in https://github.com/StackStorm/st2web/blob/master/yarn.lock

(https://github.com/StackStorm/st2web/network/alerts)

We'll need someone experienced in React/UI/Javascript to update them, making sure st2web functionality/tests are still working as before.

We'll probably need to get another round of manual/UI testing searching for regressions once the patching is done.

@guzzijones
Copy link
Contributor

I am running an npm update now. I see the deprecated warnings. I will take a stab at this.

@guzzijones
Copy link
Contributor

I am working on removing cryptiles and changing to @hapi/cryptiles in each modules.

@punkrokk
Copy link
Member

punkrokk commented May 8, 2020 via email

@guzzijones
Copy link
Contributor

@bgaeddert please pop in here if you are working on another.

@punkrokk
Copy link
Member

@armab I think we addressed this with #757, do you agree?

@arm4b
Copy link
Member Author

arm4b commented Jul 22, 2020

@punkrokk I'd say partially. While #757 removes some unused dependencies, there is no PR which updates existing dependencies.

Currently https://github.com/StackStorm/st2web/network/alerts still shows some 25 security issues, which is an improvement comparing to 36 before.

@punkrokk punkrokk self-assigned this Jul 31, 2020
@punkrokk
Copy link
Member

@armab This PR: #794 addressed all of this. If you approve, please close.

@arm4b
Copy link
Member Author

arm4b commented Aug 31, 2020

I guess we need to merge the #794 first to understand if https://github.com/StackStorm/st2web/network/alerts is clear.
Do we have someone who can review that PR?

@nmaludy
Copy link
Member

nmaludy commented Oct 6, 2020

These issues have been remediated and only development dependencies are outlying as of the 3.3.0 release!

@nmaludy nmaludy closed this as completed Oct 6, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants