Skip to content

security: Update dependencies #314

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
moonmeister merged 9 commits into from
Mar 19, 2025
Merged

security: Update dependencies #314

moonmeister merged 9 commits into from
Mar 19, 2025

Conversation

@josephfusco
Copy link
Member

@josephfusco josephfusco commented Mar 14, 2025
edited
Loading

This PR removes eslint-config-neon which contained a transitive dependency of [email protected]. This solves the corresponding dependabot alert:

https://github.com/wpengine/faustjs.org/security/dependabot/33

These changes also bring outdated dependencies up to date with their latest versions.

I am not sure what eslint-config-neon was doing, however some tests are failing.

@headless-platform-by-wp-engine
Copy link

headless-platform-by-wp-engine bot commented Mar 14, 2025

Check out the recent updates to your Headless Platform preview environment:

App Environment URL Build
faustjs.org preview-env-dependabot-svelte https://hy…wered.com ✅ (logs)

Learn more about preview environments in our documentation.

@moonmeister
Copy link
Member

moonmeister commented Mar 17, 2025

only all of our linting.
image

moonmeister
moonmeister reviewed Mar 17, 2025
View reviewed changes
moonmeister
moonmeister requested changes Mar 17, 2025
View reviewed changes
Copy link
Member

@moonmeister moonmeister left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

eslint-config-neon provides all of our eslint configs. Many of these are available on their own. But they do the hard work of updating those configs to support the latest version of eslint config standards.

we'd need to rebuild our eslint config if we drop neon. This is a great example of a how these security checks are completely pointless. This isn't a security concern, we're not using that part of the neon config, and it's only running in CI. Yet here we are spending way too much time dealing with it.

package.json Outdated
Comment on lines 56 to 58
"eslint-config-prettier": "^10.1.1",
"eslint-plugin-mdx": "^3.2.0",
"eslint-plugin-svelte": "^3.1.0",
Copy link
Member

@moonmeister moonmeister Mar 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why did these get added?

"eslint-plugin-svelte": "^3.1.0",
"eslint-config-prettier": "^10.1.1",

@josephfusco josephfusco self-assigned this Mar 17, 2025
@github-project-automation github-project-automation bot moved this to 🆕 Backlog in Headless OSS Mar 17, 2025
@josephfusco josephfusco moved this from 🆕 Backlog to 🏗 In progress in Headless OSS Mar 17, 2025
@headless-platform-by-wp-engine
Copy link

headless-platform-by-wp-engine bot commented Mar 18, 2025

Check out the recent updates to your Headless Platform preview environment:

App Environment URL Build
faustjs.org preview-env-dependabot-svelte https://hy…wered.com ✅ (logs)

Learn more about preview environments in our documentation.

@headless-platform-by-wp-engine
Copy link

headless-platform-by-wp-engine bot commented Mar 18, 2025

Check out the recent updates to your Headless Platform preview environment:

App Environment URL Build
faustjs.org preview-env-dependabot-svelte https://hy…wered.com ✅ (logs)

Learn more about preview environments in our documentation.

@headless-platform-by-wp-engine
Copy link

headless-platform-by-wp-engine bot commented Mar 19, 2025

Check out the recent updates to your Headless Platform preview environment:

App Environment URL Build
faustjs.org preview-env-dependabot-svelte https://hy…wered.com ✅ (logs)

Learn more about preview environments in our documentation.

@headless-platform-by-wp-engine
Copy link

headless-platform-by-wp-engine bot commented Mar 19, 2025

Check out the recent updates to your Headless Platform preview environment:

App Environment URL Build
faustjs.org preview-env-dependabot-svelte https://hy…wered.com ✅ (logs)

Learn more about preview environments in our documentation.

@josephfusco josephfusco moved this from 🏗 In progress to 👀 In review in Headless OSS Mar 19, 2025
@moonmeister moonmeister enabled auto-merge March 19, 2025 19:15
@moonmeister moonmeister disabled auto-merge March 19, 2025 19:15
@moonmeister
Copy link
Member

moonmeister commented Mar 19, 2025

@josephfusco Can confirm this won't update that svelte dependency. do we want to do some kind of override or file for an exception?

@headless-platform-by-wp-engine
Copy link

headless-platform-by-wp-engine bot commented Mar 19, 2025

Check out the recent updates to your Headless Platform preview environment:

App Environment URL Build
faustjs.org preview-env-dependabot-svelte https://hy…wered.com ✅ (logs)

Learn more about preview environments in our documentation.

@moonmeister moonmeister merged commit 590a16d into main Mar 19, 2025
4 checks passed
@github-project-automation github-project-automation bot moved this from 👀 In review to ✅ Closed in Headless OSS Mar 19, 2025
@moonmeister moonmeister deleted the dependabot-svelte branch March 19, 2025 20:44
@moonmeister
Copy link
Member

moonmeister commented Mar 19, 2025

https://wpengine.atlassian.net/browse/MERL-1469?focusedCommentId=1277824

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@moonmeister moonmeister moonmeister approved these changes

Assignees

@josephfusco josephfusco

Labels

None yet

Projects

Headless OSS
Status: ✅ Closed

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@josephfusco @moonmeister