Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Public-Sans - POAM: August '24 #306

Merged
merged 10 commits into from
Sep 9, 2024
Merged

Public-Sans - POAM: August '24 #306

merged 10 commits into from
Sep 9, 2024

Conversation

mahoneycm
Copy link
Contributor

@mahoneycm mahoneycm commented Jul 8, 2024
edited
Loading

Summary

Resolved dependency vulnerabilities via npm audit fix

Related issue

USWDS-Team - POAM: August 2024
Closes https://github.com/uswds/public-sans/security/dependabot/75
Closes https://github.com/uswds/public-sans/security/dependabot/78
Closes https://github.com/uswds/public-sans/security/dependabot/77
Closes https://github.com/uswds/public-sans/security/dependabot/76

Preview link

Preview link →

Major changes

  • Node version updated to lts
  • Ruby version updated to 3.3.4

Vulnerabilities before update

16 vulnerabilities (3 moderate, 13 high)

After update

15 vulnerabilities (3 moderate, 12 high)

Dependency updates

Node package updates

Dependency name Previous version Updated version
@axe-core/cli ^4.9.0 ^4.9.1
@uswds/uswds 3.8.0 3.8.1
chromedriver 125.0.3 127.0.1
postcss ^8.4.38 ^8.4.41
sass-embedded ^1.77.0 ^1.77.8

Gem updates:

Gem name Previous version Updated version
addressable 2.8.6 2.8.7
public_suffix >= 2.0.2, < 6.0 >= 2.0.2, < 7.0
google-protobuf 4.27.1 4.27.3
public_suffix 5.0.5 6.0.1
rexml 3.2.9 3.3.4
rouge 4.2.1 4.3.0
sass-embedded 1.77.4 1.77.5

Testing and review

Gulp commands run without error

  1. npm run start
  2. npm run serve
  3. npm run test:a11y (while localhost is being served from the serve script)

@mahoneycm mahoneycm mentioned this pull request Jul 8, 2024
Closed
10 tasks
mejiaj
mejiaj reviewed Jul 15, 2024
View reviewed changes
Copy link
Contributor

@mejiaj mejiaj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mahoneycm not seeing the same results from npm audit.

Develop

16 vulnerabilities (3 moderate, 13 high)

Feature

15 vulnerabilities (3 moderate, 12 high)

Can you run again and confirm?

Additionally, I've created issue #307 so we can update Ruby/Node versions. I still see node 18 being used.

@mahoneycm
Copy link
Contributor Author

@mejiaj Good catch, looks like I accidentally copied over the dependency vulnerability count from USWDS-Tutorial (tested before this branch)

Updated the PR description to match!

@mahoneycm mahoneycm requested a review from mejiaj July 22, 2024 19:00
@mejiaj mejiaj requested a review from thisisdano July 25, 2024 13:49
@mahoneycm
Copy link
Contributor Author

August additions

Node

chromedriver 125.0.3 → 127.0.1
postcss ^8.4.39 → ^8.4.41
sass-embedded ^1.77.5 → ^1.77.8

Gems

google-protobuf 4.27.2 → 4.27.3
public_suffix 6.0.0 → 6.0.1
rexml 3.3.2 → 3.3.4

note: the chrome driver update was required to make npm run test:a11y run without error due to a restriction where chromedriver needs to be within 1 +/- version of your local chrome version. Because of this, npm run test:a11y was failing on this branch as well as develop.

Related GH thread

@mahoneycm mahoneycm requested a review from mejiaj August 6, 2024 22:54
@mahoneycm mahoneycm changed the title Public-Sans - POAM: July '24 Public-Sans - POAM: August '24 Aug 6, 2024
@mahoneycm mahoneycm mentioned this pull request Aug 6, 2024
Closed
7 tasks
@thisisdano
Copy link
Member

Installed latest compile and ran npm audit fix.

11 vulnerabilities (6 moderate, 5 high)

@thisisdano thisisdano merged commit 74631a7 into develop Sep 9, 2024
4 checks passed
@thisisdano thisisdano deleted the cm-POAM-july-2024 branch September 9, 2024 02:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mejiaj mejiaj mejiaj approved these changes

@amyleadem amyleadem Awaiting requested review from amyleadem

@thisisdano thisisdano Awaiting requested review from thisisdano

Assignees
No one assigned
Labels
None yet
Projects
USWDS Core Project Data
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mahoneycm @thisisdano @mejiaj