Skip to content
This repository has been archived by the owner on Dec 6, 2024. It is now read-only.

GTT-907: Immer upgrade to fix vulnerability #246

Closed
wants to merge 3 commits into from
Closed

Conversation

ajmokotoff
Copy link
Contributor

Description

Upgraded immer to 8.0.1, as that verison is safe from the vulnerability the older versions had.

Testing

Ran test suite successfully and played around the site briefly. Didn't see any issues.


By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

frontend/package.json Outdated Show resolved Hide resolved
@ferdingler
Copy link
Contributor

What process did you follow to upgrade this? Did you edit the yarn.lock manually?

Doing a npm ls immer in the frontend package, I see the following:

performance-dashboard-frontend@1.0.0
└─┬ react-scripts@4.0.0
  └─┬ react-dev-utils@11.0.1
    └── immer@7.0.9

Immer is a dependency of react-dev-utils which is a dependency of react-scripts. I wonder if it's best to upgrade react-scripts assuming that they have already released a patch.

@ferdingler
Copy link
Contributor

If react-scripts hasn't released a patch, then I believe the proper way for upgrading a transitive dependency is to package.json resolutions: https://classic.yarnpkg.com/en/docs/selective-version-resolutions/

@ajmokotoff
Copy link
Contributor Author

What process did you follow to upgrade this? Did you edit the yarn.lock manually?

Doing a npm ls immer in the frontend package, I see the following:

performance-dashboard-frontend@1.0.0
└─┬ react-scripts@4.0.0
  └─┬ react-dev-utils@11.0.1
    └── immer@7.0.9

Immer is a dependency of react-dev-utils which is a dependency of react-scripts. I wonder if it's best to upgrade react-scripts assuming that they have already released a patch.

I ran the yarn upgrade on that script, I then changed the dependency in react dev utils, to depend on that new version. Maybe this is incorrect. I do think it would be better to just update the utils library itself.

@ferdingler
Copy link
Contributor

Closing as the solution will be to bump up react-scripts when they release a new version.

@ferdingler ferdingler closed this Jan 27, 2021
@ferdingler ferdingler deleted the GTT-907 branch February 15, 2021 20:25
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants