Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update JavaScript dependencies #329

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Update JavaScript dependencies #329

wants to merge 6 commits into from

Conversation

danyeaw
Copy link
Contributor

@danyeaw danyeaw commented Mar 25, 2025
edited
Loading

Fixes #324 by updating JS development dependencies:

  • Updates po2json to a 1.0 beta version which removes dependencies on nomnom and replaces it with commander
  • Updates less from version 2 to the latest less version
  • Commander, gettext-parser, and gettext-to-messageformat were added as explicit dev dependencies because otherwise I was getting errors with unmet peer dependencies.
  • Remove a dev dependency on bower
  • Fix an issue where runtime dependency on google-caja was sometimes not pulling the right tagged version from GitHub by directly using the archive of the version
  • Upgrade NodeJS on CI to version 16.x since some of the updated modules were incompatible with NodeJS 12 and 14.

Prior to the changes:

~/P/nbclassic (main|✔) $ yarn audit                                                                                     (nbclassic) 
yarn audit v1.22.22
22 vulnerabilities found - Packages audited: 721
Severity: 12 Moderate | 9 High | 1 Critical

Result after the change:

~/P/nbclassic (update-dependencies|✔) $ yarn audit                                                                      (nbclassic) 
yarn audit v1.22.22
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │ Bootstrap Cross-Site Scripting (XSS) vulnerability           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ bootstrap                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @bower_components/bootstrap-tour                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @bower_components/bootstrap-tour > bootstrap                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1102099                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
1 vulnerabilities found - Packages audited: 420
Severity: 1 Moderate

@danyeaw danyeaw force-pushed the update-dependencies branch from 9a48719 to 09b8ee5 Compare March 25, 2025 20:55
@danyeaw danyeaw force-pushed the update-dependencies branch from 09b8ee5 to 1070ba9 Compare March 25, 2025 20:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Security vulnerabilities in JS components of last released version
1 participant
@danyeaw