Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ISSUE-626 Upgrade transitive dep eslint-utils to fix vulnerability #628

Closed
wants to merge 2 commits into from
Closed

ISSUE-626 Upgrade transitive dep eslint-utils to fix vulnerability #628

wants to merge 2 commits into from

Conversation

samuelneff
Copy link
Contributor

Resolves critical security vulnerability in eslint-utils, dependency of eslint.

#626

Checklist

  • Latest code from master has been merged into the pull request branch
  • Honors the seven code virtues
    • Working, as opposed to incomplete
    • Unique, as opposed to duplicated
    • Simple, as opposed to complicated
    • Clear, as opposed to puzzling
    • Easy, as opposed to difficult
    • Developed, as opposed to primitive
    • Brief, as opposed to chatty
  • Code is camelCased
  • No commented out code (if required, place // TODO above with explanation)
  • No linting issues
  • Automated tests exist and pass
  • Build is successful (npm run build)
  • Works in IE 11, Chrome, Firefox, and Edge

Thanks!

❤️

@coveralls
Copy link

coveralls commented Sep 9, 2019
edited
Loading

Coverage Status

Coverage remained the same at 91.525% when pulling f03ee4f on samuelneff:issue-626-eslint-util-vulnerability into e371105 on coryhouse:master.

@nickytonline
Copy link
Collaborator

nickytonline commented Sep 9, 2019
edited
Loading

This brings up a good point. I know in the past we said Greenkeeper was more annoying than helpful, but I've been using Dependabot for dependency updates and even automated the process with Cypress. We could potentially so the same here or at a minimum let Dependabot create PRs for security fixes.

For those interested, I wrote a post about automating dependency updates, Update Dependencies with Dependabot, Cypress and Netlify. We could do something similar for react-slingshot.

@coryhouse
Copy link
Owner

I worry about the amount of noise it would create due to such frequent releases. Since this is dev tooling, most the warnings are irrelevant anyway. It's the warnings in the prod deps that actually matter, and those are rare.

That said, I'd be open to a PR to try it.

@samuelneff
Copy link
Contributor Author

@coryhouse fwiw, my work would not allow us use a project with warnings like the one covered here, even if it is an irrelevant dev dependency.

I wouldn't necessarily update all dependencies all the time as soon as they're available, but addressing security vulnerabilities would be good as they come up and updating the rest of the dependencies on a semi-regular scheduled basis.

@samuelneff samuelneff closed this Jun 14, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@samuelneff @coveralls @nickytonline @coryhouse