Small dependency bump #225

mcab · 2021-02-03T02:28:53Z

The goal of this PR is to get things to a "working state."

We want to get coverage and unit tests in a good state (they run) before doing any additional changes.

This allows us to revert if necessary.

To address errors reported by npm audit, we can bump the version for this dependency, and validate that the tests still run.

--compilers was deprecated in favor for --require. Utilize --require to have tests still run.

This tool was used for validating code coverage. Add the tool as a developer dependency.

- Fix the path to coffeescript so it runs. - Fix the path to jscoverage so it runs. - Remove outdated reference to html-doc. - Replace --compilers with --require to utilize coffeescript.

mcab · 2021-02-03T02:30:05Z

❯ npm audit
                                                                                
                       === npm audit security report ===                        
                                                                                
# Run  npm install xml-crypto@2.0.0  to resolve 1 vulnerability
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Improper Key Verification                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ xml-crypto                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ xml-crypto                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ xml-crypto                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1583                            │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ uglify-js                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.6.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ jscoverage [dev]                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ jscoverage > uglify-js                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/48                              │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ debug                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >= 2.6.9 < 3.0.0 || >= 3.1.0                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ jscoverage [dev]                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ jscoverage > debug                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/534                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.2.1 <1.0.0 || >=1.2.3                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ jscoverage [dev]                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ jscoverage > optimist > minimist                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1179                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 4 vulnerabilities (3 low, 1 high) in 139 scanned packages
  1 vulnerability requires semver-major dependency updates.
  3 vulnerabilities require manual review. See the full report for details.

Without adding jscoverage, we would only have to address xml-crypto, which should be addressed with #215!

The problem is that jscoverage was used, and as an evil necessity, will be here until we can use #198 to replace jscoverage with a newer coverage tool (nyc).

This script actually did nothing; make build doesn't do anything. So, we'll remove it so npm does not alert us on "prepublish" being deprecated. ❯ npm i npm WARN prepublish-on-install As of npm@5, `prepublish` scripts are deprecated. npm WARN prepublish-on-install Use `prepare` for build steps and `prepublishOnly` for upload-only. npm WARN prepublish-on-install See the deprecation note in `npm help scripts` for more information. > saml2-js@2.0.7 prepublish /[...]/Clever/saml2 > make build make: Nothing to be done for `build'.

mcab · 2021-02-03T02:37:53Z

❯ npm i
npm WARN prepublish-on-install As of npm@5, `prepublish` scripts are deprecated.
npm WARN prepublish-on-install Use `prepare` for build steps and `prepublishOnly` for upload-only.
npm WARN prepublish-on-install See the deprecation note in `npm help scripts` for more information.

> saml2-js@2.0.7 prepublish /[...]/Clever/saml2
> make build

make: Nothing to be done for `build'.
npm WARN saml2-js@2.0.7 No license field.

added 138 packages from 158 contributors and audited 139 packages in 1.759s

16 packages are looking for funding
  run `npm fund` for details

found 4 vulnerabilities (3 low, 1 high)
  run `npm audit fix` to fix them, or `npm audit` for details

Turns out, we don't really use npm run prepublish. We can fix this by removing the script all together.

❯ npm i
npm WARN saml2-js@2.0.7 No license field.

added 138 packages from 158 contributors and audited 139 packages in 1.676s

16 packages are looking for funding
  run `npm fund` for details

found 4 vulnerabilities (3 low, 1 high)
  run `npm audit fix` to fix them, or `npm audit` for details

mcab added 4 commits February 2, 2021 18:19

feat: Bump mocha from ^3.5.0 to ^8.2.0

0863a53

To address errors reported by npm audit, we can bump the version for this dependency, and validate that the tests still run.

test: Fix make test for running unit tests

1f7ac26

--compilers was deprecated in favor for --require. Utilize --require to have tests still run.

test: Add jscoverage

8b336b0

This tool was used for validating code coverage. Add the tool as a developer dependency.

test: Fix make test-cov to run coverage tests

63ad93f

- Fix the path to coffeescript so it runs. - Fix the path to jscoverage so it runs. - Remove outdated reference to html-doc. - Replace --compilers with --require to utilize coffeescript.

mcab force-pushed the mcab/bump-dependencies branch from 1b58b43 to e2080a3 Compare February 3, 2021 02:37

mcab merged commit 161203b into master Feb 3, 2021

mcab deleted the mcab/bump-dependencies branch February 3, 2021 02:47

mcab self-assigned this Feb 3, 2021

mcab mentioned this pull request Feb 4, 2021

Update outdated dependencies #227

Merged

enterstudio mentioned this pull request Mar 16, 2021

[Snyk] Security upgrade xml-crypto from 0.8.5 to 2.1.0 enterstudio/saml2#6

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Small dependency bump #225

Small dependency bump #225

Uh oh!

mcab commented Feb 3, 2021

Uh oh!

mcab commented Feb 3, 2021 •

edited

Loading

Uh oh!

mcab commented Feb 3, 2021

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Small dependency bump #225

Small dependency bump #225

Uh oh!

Conversation

mcab commented Feb 3, 2021

Uh oh!

mcab commented Feb 3, 2021 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

mcab commented Feb 3, 2021

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

mcab commented Feb 3, 2021 •

edited

Loading