How to update npm packages?

[galaczi]

Somewhere Aman stated that we should update only @adonisjs/core and that would take care of all dependencies needing an update. In my project I have updated every @adonisjs package and still have some that has not been updated.

 luxon                     ^2.1.1  →   ^2.3.1     
 pg                        ^8.7.1  →   ^8.7.3     
 phc-argon2                ^1.1.2  →   ^1.1.3     
 @symfony/webpack-encore   ^1.6.1  →   ^1.8.1     
 autoprefixer             ^10.4.0  →  ^10.4.2     
 eslint                    ^8.3.0  →  ^8.10.0     
 eslint-config-prettier    ^8.3.0  →   ^8.5.0     
 eslint-plugin-adonis      ^2.0.0  →   ^2.1.0     
 pino-pretty               ^7.2.0  →   ^7.5.3     
 postcss                   ^8.4.5  →   ^8.4.7     
 prettier                  ^2.5.0  →   ^2.5.1     
 stylus                   ^0.55.0  →  ^0.56.0     
 typescript                  ~4.5  →     ~4.6     
 youch                     ^2.2.2  →   ^3.1.1     
 youch-terminal            ^1.1.1  →   ^2.1.3     

What can/should be updated out of these?

Npm audit is also showing some issues:

glob-parent  <5.1.2
Severity: high
Regular expression denial of service - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install @adonisjs/[email protected], which is a breaking change
node_modules/fast-glob/node_modules/glob-parent
  fast-glob  <=2.2.7
  Depends on vulnerable versions of glob-parent
  node_modules/fast-glob
    globby  8.0.0 - 9.2.0
    Depends on vulnerable versions of fast-glob
    node_modules/globby
      cpy  7.0.0 - 8.1.2
      Depends on vulnerable versions of globby
      node_modules/cpy
        @adonisjs/assembler  *
        Depends on vulnerable versions of @adonisjs/sink
        Depends on vulnerable versions of cpy
        node_modules/@adonisjs/assembler

marked  <4.0.10
Severity: high
Inefficient Regular Expression Complexity in marked - https://github.com/advisories/GHSA-5v2h-r2cx-5xgj
fix available via `npm audit fix --force`
Will install @adonisjs/[email protected], which is a breaking change
node_modules/marked
  @adonisjs/sink  >=2.1.8
  Depends on vulnerable versions of marked
  Depends on vulnerable versions of marked-terminal
  node_modules/@adonisjs/sink
    @adonisjs/assembler  *
    Depends on vulnerable versions of @adonisjs/sink
    Depends on vulnerable versions of cpy
    node_modules/@adonisjs/assembler
  marked-terminal  <=4.2.0
  Depends on vulnerable versions of marked
  node_modules/marked-terminal

8 high severity vulnerabilities

I think a few words in the docs about the best way to keep Adonis updated would be nice.

[RomainLanz]

Hey @galaczi! 👋🏻

Like any other Node.js application, you read the changelog of those packages and apply the update if needed.
Also, I would recommend having a read on semver. You will learn when you can safely update a dependency without being scared of a breaking change.

[galaczi]

Hi @RomainLanz!

Thanks for your reply. I know semver. I just don't want to update something that Adonis depends on. Based on what you wrote, I should be ok updating minor versions?

Also I don't understand why npm audit wants to install @adonisjs/[email protected] when the current version is 5.4.2.

[momadthenomad]

The question is basically left unanswered. I would also like to know why npm audit is reporting security issues for the latest version of adonisJS?

[thetutlage]

We have answered the npm audit question dozen time already. Here is the most recent take #3333

[momadthenomad]

Yes, I see that now and I read an article saying npm audit is broken. Apologies for not reading all that before making the comment.

[jwilkey]

Read this also. We like the framework and were planning to use it, but our build pipelines in our company package proxy will refuse to install high severity vulnerabilities, even for dev, which means our pipelines can't test or build. Their reasoning is that if it is built or tested with vulnerable libraries, how can you be sure the production code is not vulnerable. I'm sure other large companies have similar policies. Thanks!