Resolve "SECURITY: update library versions to plug vulns" (!136) · Merge requests · team-friendo / signalboost

Margot requested to merge 166-update-library-versions into master Dec 18, 2019

Closes #166 (closed) - ok actual outcome and TMI on process since i'm a newbie:

I updated:

sequelize-cli 5.5.1
sequelize 5.21.3
lodash 4.17.1

directly in package.json and make _.update'd and all was fine, both make tests.all and smoke tests ran fine.

These:

eslint-utils (bump to >= 1.4.1)
set-value (bump to >2.0.1)
mixin-deep (bump to >= 1.3.2)

were lower level depends that seemed to trace back to two packages nodemon and eslint (using yarn why). When i upgraded those two though both set-value and mixin-deep stopped being installed packages.... only eslint-utils seems to still exist (and was upgraded as expected). I have to assume that's expected and the dependancies were removed. Or i have no idea what i'm doing which is entirely possible :)

Rebuilt again and tested again and all seemed fine. Didn't do a channel creation but tested most other commands.

See notes in standup about testing a full yarn upgrade in the container.

Resolve "SECURITY: update library versions to plug vulns"

Merge request reports