Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SECURITY CVE-2019-5737] Upgrade node in Docker to 10.15.3 and refresh npm dependencies #94

Merged
merged 11 commits into from
Mar 10, 2019
Merged

[SECURITY CVE-2019-5737] Upgrade node in Docker to 10.15.3 and refresh npm dependencies #94

merged 11 commits into from
Mar 10, 2019

Conversation

sergiitk
Copy link
Owner

@sergiitk sergiitk commented Mar 9, 2019
edited
Loading

Upgrades

  • Docker: Upgrade node to 10.15.3. This includes security updates, see nodejs.org announcement
  • Alpine (through node image): from 3.8.2 to 3.9.2
  • Chromium (through alpine image): from 71 to 72.0.3626.121-r0
  • CircleCI: use node:10.15.2, circleci/node:10.15.3-stretch isn't provided yet
  • Node modules upgrade:
 ◯ @babel/core        latest  7.2.2   ❯  7.3.4    https://babeljs.io/
 ◯ @babel/preset-env  latest  7.3.1   ❯  7.3.4    https://babeljs.io/
 ◯ ava                latest  1.2.0   ❯  1.3.1    https://ava.li
 ◯ codecov            latest  3.1.0   ❯  3.2.0    https://github.com/codecov/codecov-node
 ◯ css-loader         latest  2.1.0   ❯  2.1.1    https://github.com/webpack-contrib/css-loader
 ◯ eslint             latest  5.13.0  ❯  5.15.1   https://eslint.org
 ◯ esm                latest  3.2.0   ❯  3.2.9   https://github.com/standard-things/esm#readme
 ◯ nodemon            latest  1.18.9  ❯  1.18.10  http://nodemon.io
 ◯ nyc                latest  13.1.0  ❯  13.3.0   https://github.com/istanbuljs/nyc#readme
 ◯ prop-types         latest  15.6.2  ❯  15.7.2   https://facebook.github.io/react/
 ◯ puppeteer          latest  1.11.0  ❯  1.13.0   https://github.com/GoogleChrome/puppeteer#readme
 ◯ react              latest  16.7.0  ❯  16.8.4   https://reactjs.org/
 ◯ react-dom          latest  16.7.0  ❯  16.8.4   https://reactjs.org/
 ◯ sinon              latest  7.2.3   ❯  7.2.7    https://sinonjs.org/
 ◯ webpack            latest  4.29.0  ❯  4.29.6   https://github.com/webpack/webpack
 ◯ webpack-cli        latest  3.2.1   ❯  3.2.3    https://github.com/webpack/webpack-cli#readme

 dependencies
   name               range   from       to       url
 ◯ luxon              latest  1.11.0  ❯  1.11.4   https://github.com/moment/luxon#readme
 ◯ nunjucks           latest  3.1.7   ❯  3.2.0    https://github.com/mozilla/nunjucks#readme

 resolutionDependencies
   name               range   from       to       url
 ◯ terser             latest  3.14.1  ❯  3.16.1   https://github.com/fabiosantoscode/terser
  • Direct dependencies upgraded for
├─ @babel/preset-env@7.3.4
├─ @babel/preset-react@7.0.0
├─ @semantic-release/changelog@3.0.2
├─ @semantic-release/git@7.0.8
├─ ava@1.3.1
├─ babel-loader@8.0.5
├─ babel-polyfill@6.26.0
├─ basic-auth@2.0.1
├─ chai-as-promised@7.1.1
├─ chai@4.2.0
├─ codecov@3.2.0
├─ conventional-changelog-ember@2.0.2
├─ css-loader@2.1.1
├─ dotenv@6.2.0
├─ eslint-config-airbnb@17.1.0
├─ eslint-plugin-ava@5.1.1
├─ eslint-plugin-import@2.16.0
├─ eslint-plugin-jsx-a11y@6.2.1
├─ eslint-plugin-react@7.12.4
├─ eslint@5.15.1
├─ esm@3.2.9
├─ faucet@0.0.1
├─ koa-mount@4.0.0
├─ koa-route@3.2.0
├─ koa-static@5.0.0
├─ koa-views@6.1.5
├─ koa@2.7.0
├─ luxon@1.11.4
├─ mini-css-extract-plugin@0.5.0
├─ mockserver@3.0.0
├─ node-fetch@2.3.0
├─ node-sass@4.11.0
├─ nodemon@1.18.10
├─ nunjucks@3.2.0
├─ nyc@13.3.0
├─ optimize-css-assets-webpack-plugin@5.0.1
├─ prop-types@15.7.2
├─ puppeteer@1.13.0
├─ react-dom@16.8.4
├─ react@16.8.4
├─ sass-loader@7.1.0
├─ semantic-release@15.13.3
├─ sinon-chai@3.3.0
├─ sinon@7.2.7
├─ style-loader@0.23.1
├─ tap-xunit@2.3.0
├─ tsscmp@1.0.6
├─ webpack-cli@3.2.3
├─ webpack-merge@4.2.1
├─ webpack@4.29.6
├─ winston@3.2.1

Backward-incompatible upgrades

esm

  • Secondary dependency to ava
  • Attempted upgrade from 3.2.0 to 3.2.14, broke nyc reports
  • Rolled back to 3.2.9 using yarn resolutions

Other

  • Compose: Rename shared node_modules folder to avoid naming conflicts
  • Compose: avoid mounting node_modules from the host
  • Compose: start yarn first to enforce deterministic volume data copying

@codecov
Copy link

codecov bot commented Mar 9, 2019
edited
Loading

Codecov Report

Merging #94 into master will not change coverage.
The diff coverage is n/a.

Impacted file tree graph

@@          Coverage Diff           @@
##           master     #94   +/-   ##
======================================
  Coverage    6.81%   6.81%           
======================================
  Files          20      20           
  Lines         528     528           
  Branches       91      91           
======================================
  Hits           36      36           
  Misses        489     489           
  Partials        3       3

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 740e905...1e977ca. Read the comment docs.

@sergiitk sergiitk changed the title [CLEANUP chore-dependencies] Dependencies upgrade [SECURITY CVE-2019-5737] Upgrade node in Docker to 10.15.3 and refresh npm dependencies Mar 10, 2019
@sergiitk sergiitk marked this pull request as ready for review March 10, 2019 01:04
@sergiitk sergiitk merged commit 5eacded into master Mar 10, 2019
@sergiitk sergiitk deleted the chore/dependencies-update branch March 10, 2019 01:04
This was referenced Mar 10, 2019
Closed
Merged
sergiitk pushed a commit that referenced this pull request Mar 14, 2019
@semantic-release-bot
1.0.1 [skip ci]
9b7b5ad 
## [1.0.1](v1.0.0...v1.0.1) (2019-03-14)

### Cleanup

- [98](#98) **chore-dependencies** More dependency upgrades
- [95](#95) **docker** Reduce docker image size by cleaning yarn cache

### Security

- [94](#94) **CVE-2019-5737** Upgrade node in Docker to 10.15.3 and refresh npm dependencies
@sergiitk
Copy link
Owner Author

🎉 This PR is included in version 1.0.1 🎉

The release is available on:

Your semantic-release bot 📦🚀

@sergiitk sergiitk mentioned this pull request Mar 14, 2019
Merged
@sergiitk sergiitk added the dependencies Pull requests that update a dependency file label Jun 11, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file released
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@sergiitk