Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

USWDS - POAM: April ‘24 #5854

Merged
merged 7 commits into from
May 22, 2024
Merged

USWDS - POAM: April ‘24 #5854

merged 7 commits into from
May 22, 2024

Conversation

mahoneycm
Copy link
Contributor

@mahoneycm mahoneycm commented Apr 8, 2024
edited

Summary

POAM updates for April 2024.

Breaking change

This is not a breaking change.

Related issue

Closes https://github.com/uswds/uswds/security/dependabot/77

Closes https://github.com/uswds/uswds/security/dependabot/75

Preview link

Preview link →

Major changes

Current vulnerabilities

45 vulnerabilities (15 moderate, 30 high)

After fix

43 vulnerabilities (13 moderate, 30 high)

Testing and review

  1. Run npm install.
  2. Run npm start.
  3. Update a SASS file and see it update in StorybookJS.
  4. Running npx gulp sassTests or npm run test should not fail.
  5. Run gulp tasks (like build) and ensure there aren't errors and things build correctly
  6. Installing on site does not cause any installation or build errors

Dependency updates

Dep name Old version New version
@babel/core 7.23.6 7.24.4
@babel/preset-env 7.23.6 7.24.4
@types/node 20.10.4 20.12.5
autoprefixer 10.4.16 10.4.19
axe-core 4.8.2 4.9.0
eslint-plugin-import 2.29.0 2.29.1
html-webpack-plugin 5.5.4 5.6.0
mocha 10.2.0 10.4.0
postcss 8.4.32 8.4.38
postcss-discard-comments 6.0.0 6.0.2
postcss-preset-env 9.3.0 9.5.4
sass 1.69.5 1.74.1
sass-embedded 1.69.5 1.74.1
snyk 1.1262.0 1.1287.0
svgo 3.1.0 3.2.0
typescript 5.3.3 5.4.4
webpack 5.89.0 5.91.0

dependabot bot and others added 5 commits March 17, 2024 01:13
@dependabot
Bump follow-redirects from 1.15.5 to 1.15.6
8ae3166 
Bumps [follow-redirects](https://github.com/follow-redirects/follow-redirects) from 1.15.5 to 1.15.6.
- [Release notes](https://github.com/follow-redirects/follow-redirects/releases)
- [Commits](follow-redirects/follow-redirects@v1.15.5...v1.15.6)

---
updated-dependencies:
- dependency-name: follow-redirects
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot
Bump express from 4.18.2 to 4.19.2
bcf2565 
Bumps [express](https://github.com/expressjs/express) from 4.18.2 to 4.19.2.
- [Release notes](https://github.com/expressjs/express/releases)
- [Changelog](https://github.com/expressjs/express/blob/master/History.md)
- [Commits](expressjs/express@4.18.2...4.19.2)

---
updated-dependencies:
- dependency-name: express
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
@mahoneycm
npm audit fix
8c8a9f0
@mahoneycm
Merge branch 'dependabot/npm_and_yarn/express-4.19.2' of github.com:u…
73857e0 
…swds/uswds into cm-POAM-april-2024
@mahoneycm
Merge branch 'dependabot/npm_and_yarn/follow-redirects-1.15.6' of git…
28af2f6 
…hub.com:uswds/uswds into cm-POAM-april-2024
@mahoneycm mahoneycm added Affects: Dependencies Relates to project dependencies Role: Dev Development/engineering skills needed and removed Affects: Dependencies Relates to project dependencies labels Apr 8, 2024
@mahoneycm mahoneycm marked this pull request as draft April 8, 2024 20:44
@mahoneycm mahoneycm marked this pull request as ready for review April 8, 2024 21:01
@mejiaj mejiaj mentioned this pull request Apr 9, 2024
Open
7 tasks
@mahoneycm mahoneycm added this to the uswds 3.8.1 milestone Apr 19, 2024
mejiaj
mejiaj approved these changes Apr 30, 2024
View reviewed changes
Copy link
Contributor

@mejiaj mejiaj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you.

Tested tasks for compiling SASS, JS, SASS unit tests, and general npm install.

amyleadem
amyleadem approved these changes Apr 30, 2024
View reviewed changes
Copy link
Contributor

@amyleadem amyleadem left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me! I performed the following checks:

  • Run fresh npm install without error
  • Run npm start without error
  • Run npm run test without error
  • Update Sass
  • Confirm the dependency updates listed in the PR description match package.json
  • Install this branch on uswds-site and confirm no build errors

@amyleadem
Copy link
Contributor

Note

I added this PR to the project board and marked it as fed final.

This was referenced May 7, 2024
Merged
Merged
@amyleadem amyleadem mentioned this pull request May 10, 2024
Merged
@mahoneycm mahoneycm mentioned this pull request May 15, 2024
Closed
3 tasks
@mejiaj mejiaj mentioned this pull request May 20, 2024
Closed
@thisisdano thisisdano merged commit 601d833 into develop May 22, 2024
5 checks passed
@thisisdano thisisdano deleted the cm-POAM-april-2024 branch May 22, 2024 21:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mejiaj mejiaj mejiaj approved these changes

@thisisdano thisisdano thisisdano approved these changes

@amyleadem amyleadem amyleadem approved these changes

Assignees

@mahoneycm mahoneycm

Labels
Affects: Dependencies Relates to project dependencies Role: Dev Development/engineering skills needed
Projects
USWDS Core Project Data
Status: Done
Milestone
uswds 3.8.1
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@mahoneycm @amyleadem @mejiaj @thisisdano