Skip to content

Setup individual audit #1243

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Setup individual audit #1243

wants to merge 4 commits into from

Conversation

hl662
Copy link
Contributor

@hl662 hl662 commented Mar 14, 2025

This config means the pnpm audit task in the repo only runs against the root lockfile, not invidivual lockfiles across the monorepo.

(At time of writing) We have 63 high vulnerabilities and 1 critical to fix.

@hl662
Copy link
Contributor Author

hl662 commented Mar 14, 2025
edited
Loading

Every package has multiple high vulnerabilities, I would suggest tackling each package's vulns in its own separate PR...

aruniverse
aruniverse reviewed Mar 14, 2025
View reviewed changes
@aruniverse aruniverse marked this pull request as ready for review March 14, 2025 18:25
aruniverse
aruniverse reviewed Mar 14, 2025
View reviewed changes
@aruniverse
Copy link
Member

Running pnpm up -r from the root updates the deps across the entire monorepo, then running audit across each pkg reports less errors than before, for some pkgs completely resolves them.

But the following pkgs still have cves that need to be resolved:

  • @itwin/grouping-mapping-widget
  • @itwin/one-click-lca-react
  • @itwin/reports-config-widget-react

fyi @arnobmallickbsw @itwin/insights-and-reporting-platform

grigasp
grigasp reviewed Mar 17, 2025
View reviewed changes
change/@itwin-property-grid-react-fa8f64ac-f2f6-4472-9943-7b848897afa4.json
@@ -0,0 +1,7 @@
{
"type": "patch",
"comment": "resolve cves",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These messages appear in consumer-facing changelog files - they should have a meaning to consumers and be properly formatted.

Suggested change
"comment": "resolve cves",
"comment": "Bump dependencies.",

change/@itwin-tree-widget-react-606e3925-b701-4946-8d58-84282dd89762.json
@@ -0,0 +1,7 @@
{
"type": "patch",
"comment": "resolve cves",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These messages appear in consumer-facing changelog files - they should have a meaning to consumers and be properly formatted.

Suggested change
"comment": "resolve cves",
"comment": "Bump dependencies.",

.vscode/settings.json
"editor.trimAutoWhitespace": true,
"editor.defaultFormatter": "esbenp.prettier-vscode",
"editor.formatOnSave": true,
// "editor.formatOnSave": true,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should these be removed instead of commented-out?

mdastous-bentley
mdastous-bentley approved these changes Mar 17, 2025
View reviewed changes
Copy link
Contributor

@mdastous-bentley mdastous-bentley left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed map-layers and geo-tools

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aruniverse aruniverse aruniverse left review comments

@grigasp grigasp grigasp left review comments

@mdastous-bentley mdastous-bentley mdastous-bentley approved these changes

@eringram eringram Awaiting requested review from eringram eringram is a code owner

@DanishMehmood-bit DanishMehmood-bit Awaiting requested review from DanishMehmood-bit DanishMehmood-bit is a code owner

@simnorm simnorm Awaiting requested review from simnorm simnorm is a code owner

@a-gagnon a-gagnon Awaiting requested review from a-gagnon a-gagnon is a code owner

@bsy-nicholasw bsy-nicholasw Awaiting requested review from bsy-nicholasw bsy-nicholasw is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@hl662 @aruniverse @mdastous-bentley @grigasp