build(deps): bulk fix CVEs via dependency resolution overrides 2023-10-23 #2828
Assignees
Labels
dependencies
Pull requests that update a dependency file
P1
Priority 1: Highest
Security
Related to existing or potential security vulnerabilities
Milestone
Comments
petermetz
added
dependencies
petermetz
added a commit
to petermetz/cacti
that referenced
this issue
Oct 24, 2023
…0-23 WORK IN PROGRESS Fixes hyperledger#2828 Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
petermetz
added a commit
to petermetz/cacti
that referenced
this issue
Oct 24, 2023
…0-23 1. Couldn't get rid of vulnerable versions in a couple of dependencies because the underlying dependencies have gone ESM only which is a blocker for us at the moment unfortunately. 2. Swapped out the ubiquity TS client to a version of it that I self published onto npm after a full renovation of all of its dependencies. Depends on hyperledger#2807 (because that one also has a couple of dependency bumps that are needed to eliminate the vulnerabilities) Fixes hyperledger#2828 Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
5 tasks
petermetz
added a commit
to petermetz/cacti
that referenced
this issue
Nov 1, 2023
…0-23 1. Couldn't get rid of vulnerable versions in a couple of dependencies because the underlying dependencies have gone ESM only which is a blocker for us at the moment unfortunately. 2. Swapped out the ubiquity TS client to a version of it that I self published onto npm after a full renovation of all of its dependencies. Depends on hyperledger#2807 (because that one also has a couple of dependency bumps that are needed to eliminate the vulnerabilities) Fixes hyperledger#2828 Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
petermetz
added a commit
to petermetz/cacti
that referenced
this issue
Nov 7, 2023
…0-23 1. Couldn't get rid of vulnerable versions in a couple of dependencies because the underlying dependencies have gone ESM only which is a blocker for us at the moment unfortunately. 2. Swapped out the ubiquity TS client to a version of it that I self published onto npm after a full renovation of all of its dependencies. Depends on hyperledger#2807 (because that one also has a couple of dependency bumps that are needed to eliminate the vulnerabilities) Fixes hyperledger#2828 Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
petermetz
added a commit
to petermetz/cacti
that referenced
this issue
Nov 10, 2023
…0-23 1. Couldn't get rid of vulnerable versions in a couple of dependencies because the underlying dependencies have gone ESM only which is a blocker for us at the moment unfortunately. 2. Swapped out the ubiquity TS client to a version of it that I self published onto npm after a full renovation of all of its dependencies. Depends on hyperledger#2807 (because that one also has a couple of dependency bumps that are needed to eliminate the vulnerabilities) Fixes hyperledger#2828 Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
petermetz
added a commit
to petermetz/cacti
that referenced
this issue
Nov 10, 2023
…0-23 1. Couldn't get rid of vulnerable versions in a couple of dependencies because the underlying dependencies have gone ESM only which is a blocker for us at the moment unfortunately. 2. Swapped out the ubiquity TS client to a version of it that I self published onto npm after a full renovation of all of its dependencies. Depends on hyperledger#2807 (because that one also has a couple of dependency bumps that are needed to eliminate the vulnerabilities) Fixes hyperledger#2828 Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
petermetz
added a commit
to petermetz/cacti
that referenced
this issue
Nov 10, 2023
…0-23 1. Couldn't get rid of vulnerable versions in a couple of dependencies because the underlying dependencies have gone ESM only which is a blocker for us at the moment unfortunately. 2. Swapped out the ubiquity TS client to a version of it that I self published onto npm after a full renovation of all of its dependencies. Depends on hyperledger#2807 (because that one also has a couple of dependency bumps that are needed to eliminate the vulnerabilities) Fixes hyperledger#2828 Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
petermetz
added a commit
to petermetz/cacti
that referenced
this issue
Nov 14, 2023
…0-23 1. Couldn't get rid of vulnerable versions in a couple of dependencies because the underlying dependencies have gone ESM only which is a blocker for us at the moment unfortunately. 2. Swapped out the ubiquity TS client to a version of it that I self published onto npm after a full renovation of all of its dependencies. Depends on hyperledger#2807 (because that one also has a couple of dependency bumps that are needed to eliminate the vulnerabilities) Fixes hyperledger#2828 Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
petermetz
added a commit
to petermetz/cacti
that referenced
this issue
Nov 15, 2023
…0-23 1. Couldn't get rid of vulnerable versions in a couple of dependencies because the underlying dependencies have gone ESM only which is a blocker for us at the moment unfortunately. 2. Swapped out the ubiquity TS client to a version of it that I self published onto npm after a full renovation of all of its dependencies. Depends on hyperledger#2807 (because that one also has a couple of dependency bumps that are needed to eliminate the vulnerabilities) Fixes hyperledger#2828 Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
petermetz
added a commit
to petermetz/cacti
that referenced
this issue
Nov 15, 2023
…0-23 1. Couldn't get rid of vulnerable versions in a couple of dependencies because the underlying dependencies have gone ESM only which is a blocker for us at the moment unfortunately. 2. Swapped out the ubiquity TS client to a version of it that I self published onto npm after a full renovation of all of its dependencies. Depends on hyperledger#2807 (because that one also has a couple of dependency bumps that are needed to eliminate the vulnerabilities) Fixes hyperledger#2828 Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
petermetz
added a commit
that referenced
this issue
Nov 15, 2023
…0-23 1. Couldn't get rid of vulnerable versions in a couple of dependencies because the underlying dependencies have gone ESM only which is a blocker for us at the moment unfortunately. 2. Swapped out the ubiquity TS client to a version of it that I self published onto npm after a full renovation of all of its dependencies. Depends on #2807 (because that one also has a couple of dependency bumps that are needed to eliminate the vulnerabilities) Fixes #2828 Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
sandeepnRES
pushed a commit
to sandeepnRES/cacti
that referenced
this issue
Dec 21, 2023
…0-23 1. Couldn't get rid of vulnerable versions in a couple of dependencies because the underlying dependencies have gone ESM only which is a blocker for us at the moment unfortunately. 2. Swapped out the ubiquity TS client to a version of it that I self published onto npm after a full renovation of all of its dependencies. Depends on hyperledger#2807 (because that one also has a couple of dependency bumps that are needed to eliminate the vulnerabilities) Fixes hyperledger#2828 Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
Upgrading vulnerable dependencies have become a game of whack-a-mole: Vulnerabilities that I've submitted pull requests for in the past few weeks are reappearing because new pull requests keep adding back the vulnerable versions of these dependencies to the project build.
We could have a CI step scanning for these and block the PR's from getting merged but that's extra resources used on the already stretched-thin CI so the simpler route is to start using the central (root package.json file's) resolution overrides more aggressively. Previously I was advocating for this to be a last resort, but seeing in recent weeks how the accidental re-adding of vulnerabilities happen very frequently nowadays (due to project growth which is a good thing in itself) I changed my mind on it and decided that my new recommendation is to lock ourselves away from vulnerable versions of dependencies entirely via the centralized overrides.
The scope of this task: Submit one PR with resolution overrides.
Acceptance Criteria
>=1.0.0instead of=1.0.0because the former is not forcing us to not use v1.1.0 in the future as it comes out)The text was updated successfully, but these errors were encountered: