-
-
Notifications
You must be signed in to change notification settings - Fork 81
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dependency clean up #757
Merged
Merged
Dependency clean up #757
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Nice work here. Just removing unused dependencies alone will remove a whole lot of noise in future |
bgaeddert
force-pushed
the
dependency-clean-up
branch
from
June 29, 2020 16:08
de74f74
to
52d50d9
Compare
Tested locally on my box and didn't run into any issues. Works great! |
nmaludy
approved these changes
Jul 8, 2020
arm4b
approved these changes
Jul 9, 2020
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
@bgaeddert Yup! Thanks man. Great job! |
35 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The goal of this PR is the get a handle on the dependencies of st2web. The main purpose was to mitigate or remove all the packages with security vulnerabilities. While attempting this I found a few other issues that needed to be addressed first. First I went through all the modules and apps with package.json files and removed all unused dependencies. Then moved all devDependencies and production dependencies to their appropriate group. This process had the benefit of removing several vulnerabilities that weren't even used. And I was able to isolate the remaining vulnerabilities to devDependencies group. Then actually address the production packages vulnerabilities. The command below return vulnerabilities for production code. And as you can see there are now zero vulnerabilities.
$
yarn audit --groups dependencies
yarn audit v1.22.4
0 vulnerabilities found - Packages audited: 120
✨ Done in 2.24s.
There are remaining vulnerabilities in the devDependecies. However, IMHO it's not worth replacing packages that are working now to build and dev. I suspect that Githubs automated security check will still alert on these non-producton packages, but that remains to be seen.
I ran test and build and tested with st2vagrant. However, Some real QA is required and someone who knows something about the production build process should also test.
@punkrokk please assign anyone you feel appropriate.