Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dependency clean up #757

Merged
merged 7 commits into from
Jul 9, 2020
Merged

Conversation

bgaeddert
Copy link
Contributor

The goal of this PR is the get a handle on the dependencies of st2web. The main purpose was to mitigate or remove all the packages with security vulnerabilities. While attempting this I found a few other issues that needed to be addressed first. First I went through all the modules and apps with package.json files and removed all unused dependencies. Then moved all devDependencies and production dependencies to their appropriate group. This process had the benefit of removing several vulnerabilities that weren't even used. And I was able to isolate the remaining vulnerabilities to devDependencies group. Then actually address the production packages vulnerabilities. The command below return vulnerabilities for production code. And as you can see there are now zero vulnerabilities.

$ yarn audit --groups dependencies

yarn audit v1.22.4
0 vulnerabilities found - Packages audited: 120
✨ Done in 2.24s.

There are remaining vulnerabilities in the devDependecies. However, IMHO it's not worth replacing packages that are working now to build and dev. I suspect that Githubs automated security check will still alert on these non-producton packages, but that remains to be seen.

I ran test and build and tested with st2vagrant. However, Some real QA is required and someone who knows something about the production build process should also test.

@punkrokk please assign anyone you feel appropriate.

@bgaeddert bgaeddert requested a review from punkrokk May 28, 2020 03:56
@punkrokk punkrokk added this to the 3.2.1 milestone Jun 17, 2020
@LindsayHill
Copy link
Contributor

Nice work here. Just removing unused dependencies alone will remove a whole lot of noise in future

This was referenced Jun 23, 2020
@bgaeddert bgaeddert force-pushed the dependency-clean-up branch from de74f74 to 52d50d9 Compare June 29, 2020 16:08
@nmaludy
Copy link
Member

nmaludy commented Jul 8, 2020

Tested locally on my box and didn't run into any issues. Works great!

Copy link
Member

@arm4b arm4b left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@bgaeddert
Copy link
Contributor Author

@punkrokk @blag Is this ready to merge?

@punkrokk
Copy link
Member

punkrokk commented Jul 9, 2020

@bgaeddert Yup! Thanks man. Great job!

@punkrokk punkrokk merged commit 462c122 into StackStorm:master Jul 9, 2020
@punkrokk punkrokk modified the milestones: 3.2.1, 3.3.0 Jul 17, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants