Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(DGHT-287): Fix dependabot alerts (2) #5469

Merged
merged 7 commits into from
Dec 10, 2024
Merged

Conversation

yyanwang
Copy link
Member

@yyanwang yyanwang commented Dec 10, 2024

What is the problem this PR is trying to solve?
Fix remaining dependabot alerts:
https://github.com/Talend/ui/security/dependabot/221
https://github.com/Talend/ui/security/dependabot/246
https://github.com/Talend/ui/security/dependabot/6

This alert will persisit because no safe version available and I don't think we can get rid of this dep:
https://github.com/Talend/ui/security/dependabot/195

Dependencies upgraded:
svgo ^1.3.2 -> ^3.3.2
@svgr/webpack ^5.5.0 -> ^8.1.0
remove dep fetch-mock (use our mock for fetch instead)

Changes:

  1. Upgrade svgo and @svgr/webpack to remove an indirect dependency on nth-check, which triggered a security alert. Adjusted SVG optimization configuration files to align with the upgrades. Verified that the yarn svgo script for icons continues to function correctly.
  2. Address json-refs Issue: Updated the dependency tree, which caused an error due to json-refs using a Node.js API. Added resolve.alias in the Webpack configuration to use the browser-compatible distribution of json-refs. disabled the querystring polyfill in the Storybook Webpack configuration to avoid unnecessary overhead.
  3. Remove fetch-mock to eliminate its outdated path-to-regexp 2.x version. rewrite the unit test in the http package to use a custom mock for fetch, as this was the only place fetch-mock was being used.

After upgrade, I checked several things:

  1. unit tests ✅
  2. storybook all-in-one PR demo ✅
  3. playground/playground-vite ✅
  4. package icon npm script: yarn svgo works well. ✅
    let me know if I need to check other things.

What is the chosen solution to this problem?

Please check if the PR fulfills these requirements

  • The PR have used yarn changeset to a request a release from the CI if wanted.
  • The PR commit message follows our guidelines
  • Tests for the changes have been added (for bug fixes / features) And non reg done before need review
  • Docs have been added / updated (for bug fixes / features)
  • Related design / discussions / pages (not in jira), if any, are all linked or available in the PR

[ ] This PR introduces a breaking change

@yyanwang yyanwang temporarily deployed to pull_request_unsafe December 10, 2024 03:51 — with GitHub Actions Inactive
Copy link
Contributor

Storybook for this PR deployed on this github page

Copy link
Contributor

github-actions bot commented Dec 10, 2024

Title Lines Statements Branches Functions
assets-api Coverage: 28%
28.4% (25/88) 30.76% (16/52) 21.42% (3/14)
cmf Coverage: 89%
89.17% (1236/1386) 80.88% (605/748) 89.28% (350/392)
cmf-cqrs Coverage: 87%
87.43% (160/183) 70.23% (59/84) 84.21% (48/57)
cmf-router Coverage: 70%
69.23% (135/195) 55.71% (78/140) 56.81% (25/44)
components Coverage: 90%
90.8% (5527/6087) 81.84% (3206/3917) 88.14% (1390/1577)
containers Coverage: 84%
83.59% (1391/1664) 74.3% (694/934) 75% (327/436)
dataviz Coverage: 85%
85.44% (323/378) 66.66% (160/240) 75.79% (119/157)
design-system Coverage: 67%
66.4% (1012/1524) 50.46% (537/1064) 53.58% (217/405)
faceted-search Coverage: 85%
85.08% (639/751) 78.63% (287/365) 81.88% (226/276)
flow-designer Coverage: 70%
70.07% (651/929) 66.72% (355/532) 70.92% (200/282)
forms Coverage: 85%
85.81% (1640/1911) 75.77% (929/1226) 84.24% (460/546)
http Coverage: 100%
100% (85/85) 98.07% (51/52) 100% (34/34)
sagas Coverage: 92%
92.3% (24/26) 66.66% (4/6) 50% (2/4)
stepper Coverage: 80%
81.52% (150/184) 59.34% (54/91) 80.85% (38/47)
utils Coverage: 100%
100% (73/73) 90.9% (10/11) 100% (24/24)

@yyanwang yyanwang merged commit fc2e30f into master Dec 10, 2024
8 checks passed
@yyanwang yyanwang deleted the ywang/chore/DGHT-287 branch December 10, 2024 08:20
yyanwang added a commit that referenced this pull request Dec 10, 2024
jmfrancois pushed a commit that referenced this pull request Dec 10, 2024
* Revert "chore: prepare release (#5471)"

This reverts commit 93202cb.

* Revert "chore(DGHT-287): Fix dependabot alerts (2) (#5469)"

This reverts commit fc2e30f.
@yyanwang yyanwang restored the ywang/chore/DGHT-287 branch December 10, 2024 11:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants