-
Notifications
You must be signed in to change notification settings - Fork 54
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(DGHT-287): Fix dependabot alerts (2) #5469
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
yyanwang
temporarily deployed
to
pull_request_unsafe
December 10, 2024 03:51 — with
GitHub Actions
Inactive
Storybook for this PR deployed on this github page |
yyanwang
temporarily deployed
to
pull_request_unsafe
December 10, 2024 05:51 — with
GitHub Actions
Inactive
jmfrancois
approved these changes
Dec 10, 2024
jmfrancois
pushed a commit
that referenced
this pull request
Dec 10, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What is the problem this PR is trying to solve?
Fix remaining dependabot alerts:
https://github.com/Talend/ui/security/dependabot/221
https://github.com/Talend/ui/security/dependabot/246
https://github.com/Talend/ui/security/dependabot/6
This alert will persisit because no safe version available and I don't think we can get rid of this dep:
https://github.com/Talend/ui/security/dependabot/195
Dependencies upgraded:
svgo
^1.3.2 -> ^3.3.2@svgr/webpack
^5.5.0 -> ^8.1.0remove dep
fetch-mock
(use our mock for fetch instead)Changes:
svgo
and@svgr/webpack
to remove an indirect dependency onnth-check
, which triggered a security alert. Adjusted SVG optimization configuration files to align with the upgrades. Verified that theyarn svgo
script for icons continues to function correctly.json-refs
Issue: Updated the dependency tree, which caused an error due tojson-refs
using a Node.js API. Added resolve.alias in the Webpack configuration to use the browser-compatible distribution ofjson-refs
. disabled thequerystring
polyfill in the Storybook Webpack configuration to avoid unnecessary overhead.fetch-mock
to eliminate its outdated path-to-regexp 2.x version. rewrite the unit test in thehttp
package to use a custom mock for fetch, as this was the only place fetch-mock was being used.After upgrade, I checked several things:
icon
npm script:yarn svgo
works well. ✅let me know if I need to check other things.
What is the chosen solution to this problem?
Please check if the PR fulfills these requirements
yarn changeset
to a request a release from the CI if wanted.[ ] This PR introduces a breaking change