chore: [REV-1551] clean up dependencies for Renovate (#510)

* chore: run npm audit fix * chore: upgrade to @edx/frontend-build@8.1.3 for npm audit * chore: remove purgecss-webpack-plugin Required to upgrade @edx/frontend-build. See https://github.com/edx/frontend-build/releases/tag/v7.0.0 * chore: upgrade to immer@9.0.6 for npm audit * chore: upgrade to @edx/paragon@16.16.0 for npm audit * chore: upgrade to mozjpeg@7.1.1 for npm audit Note: There is a known issue in mozjpeg@7.1.1: On GitHub, see: imagemin/mozjpeg-bin!67 This may throw errors in the dev build. However, since it is a devDependency, it should not affect the prod build. Workarounds: * Pin mozjpeg@7.1.0 locally. * `apt-get install nasm` in your frontend-app-payment devstack shell. Note mozjpeg@7.1.0 contains 1 high vulnerability. * chore: upgrade to html-webpack-plugin@5.3.2 to fix htmlWebpackPluginAlterChunks error * chore: upgrade react (&c) for npm audit * fix: unpin all repos and npm update for renovate prep * chore: upgrade to audit-ci@5 & husky@7 * chore: upgrade to paragon@16.17 * fix: refresh snapshots after dependency upgrades * chore: upgrade to form-urlencoded@6.0.5 * chore: upgrade to es-check@6.1.0 for npm audit * chore: whitelist audit findings after manual review * fix: sync Makefile precommit with package.json * fix: add PCI compliance reminders * chore: update snapshots * fix: convert react-test-renderer tests to enzyme Paragon <Input> components employ an accessibility test called checkHasLabel() that uses forwardRefs. checkHasLabel() is set to run only in devstack. react-test-renderer is natively incompatible with forwardRefs: https://reactjs.org/docs/test-renderer.html#ideas Convert react-test-renderer tests to enzyme tests so a jsdom makes forwardRefs available for the devstack accessibility tests. * fix: have CI do npm audit last Audits usually are addressed after all tests have passed. If audit precede test checks, information about test failure is obscured by incoming audit findings. * fix: remove depcheck-id'ed unused dependencies * fix: upgrade husky * fix: run npm upgrade & npm dedup * fix: update owner & reflect removal of Purgecss in README.md * fix: reword PCI compliance impact check * chore: npm-force-resolutions to upgrade deps in lockfile
openedx · Nov 18, 2021 · dbe0855 · dbe0855
1 parent aab0353
commit dbe0855
Show file tree

Hide file tree

Showing 17 changed files with 5,528 additions and 7,893 deletions.
diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
@@ -4,30 +4,38 @@ Please give the pull request a short but descriptive title.
 Use this template as a guide. Omit sections that don't apply. You may link to information rather than copy it.
 -->
 
-## Anyone merging to this repository is expected to [release and monitor their changes](https://openedx.atlassian.net/wiki/spaces/RS/pages/1835106870/How+to+contribute+to+our+repositories); if you are not able to do this DO NOT MERGE, please coordinate with someone who can to ensure that the changes are released.
+## Anyone merging to this repository is expected to [promptly release and monitor their changes](https://openedx.atlassian.net/wiki/spaces/RS/pages/1835106870/How+to+contribute+to+our+repositories); if you are not able to do this DO NOT MERGE, please coordinate with someone who can to ensure that the changes are released.
 
 ## Description
-
+<!--
 Describe what this pull request changes, and why these changes were made. How will these changes affect other people, installations of edx, etc.?
-Please include links to any relevant ADRs, design artifacts, and decision documents. Make sure to document the rationale behind significant changes in the repo, per [OEP-19](https://open-edx-proposals.readthedocs.io/en/latest/oep-0019-bp-developer-documentation.html), and can be
-linked here.
+
+Please include links to any relevant ADRs, design artifacts, and decision documents. Make sure to document the rationale behind significant changes in the repo, per [OEP-19](https://open-edx-proposals.readthedocs.io/en/latest/oep-0019-bp-developer-documentation.html), and can be linked here.
 
 Useful information to include:
 - Which edX user roles will this change impact? Common user roles are "Learner", "Course Author", "Developer", and "Operator".
 - Include screenshots for changes to the UI (ideally, both "before" and "after" screenshots, if applicable).
 - Provide links to the description of corresponding configuration changes. Remember to correctly annotate these changes.
+-->
 
 ## Supporting information
-
+<!--
 Link to other information about the change, such as Jira issues, GitHub issues, or Discourse discussions.
 Be sure to check they are publicly readable, or if not, repeat the information here.
+-->
 
 ## Testing instructions
-
+<!--
 Please provide detailed step-by-step instructions for testing this change; how did YOU test this change?
+-->
 
 ## Other information
-
+<!-- 
 Include anything else that will help reviewers and consumers understand the change.
 - Does this change depend on other changes elsewhere?
 - Any special concerns or limitations? For example: deprecations, migrations, OpenEdx vs. edx.org differences, development vs. production environment differences, security, or accessibility.
+-->
+
+## Checklist
+- [ ] Consider PCI compliance impact and whether this PR changes how credit card information is handled.
+- [ ] Intend to [release and monitor](https://openedx.atlassian.net/wiki/spaces/RS/pages/1835106870/How+to+contribute+to+our+repositories) this PR promptly after merge.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -20,9 +20,6 @@ jobs:
       with:
         node-version: 12
 
-    - name: Run Whitelist Audit
-      run: npm run audit:whitelisted
-
     - name: Install dependencies
       run: npm ci
 
@@ -40,3 +37,6 @@ jobs:
 
     - name: Build
       run: npm run build
+
+    - name: Run Whitelist Audit
+      run: npm run audit:whitelisted
diff --git a/.husky/pre-commit b/.husky/pre-commit
@@ -0,0 +1,4 @@
+#!/bin/sh
+. "$(dirname "$0")/_/husky.sh"
+
+npm run lint && npm run audit:whitelisted
diff --git a/CODEOWNERS b/CODEOWNERS
@@ -0,0 +1,2 @@
+# PCI compliance requires stricter scrutiny, see PR template
+/src	@edx/revenue-squad
diff --git a/Makefile b/Makefile
@@ -12,7 +12,7 @@ transifex_temp = ./temp/babel-plugin-react-intl
 
 precommit:
 	npm run lint
-	npm audit
+	npm run audit:whitelisted
 
 requirements:
 	npm install

diff --git a/README.rst b/README.rst
@@ -3,7 +3,7 @@
 frontend-app-payment
 ====================
 
-Please tag **@edx/arch-team** on any PRs or issues.  Thanks.
+Please tag **@edx/revenue-squad** on any PRs or issues.  Thanks.
 
 Introduction
 ------------
@@ -172,10 +172,6 @@ Build Process Notes
 
 The production build is created with ``npm run build``.
 
-**Purgecss**
-
-The production Webpack configuration for this repo uses `Purgecss <https://www.purgecss.com/>`_ to remove unused CSS from the production css file.  In webpack/webpack.prod.config.js the Purgecss plugin is configured to scan directories to determine what css selectors should remain.  Currently the src/ directory is scanned along with all @edx/frontend-component* node modules and paragon.  If you add and use a component in this repo that relies on HTML classes or ids for styling you must add it to the Purgecss configuration or it will be unstyled in the production build.
-
 Internationalization
 --------------------
 

diff --git a/audit-ci.json b/audit-ci.json
@@ -1,16 +1,10 @@
 {
     "allowlist": [
-        1675,
-        1676,
-        1677,
-        1693,
-        1747,
-        1748,
-        1751,
-        1753,
-        1754,
-        1773,
-        1776
+        1002401,
+        1002423,
+        1002465,
+        1002522,
+        1002655
     ],
     "moderate": true
 }