Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

USWDS-Site - POAM: January ‘25 #3063

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

USWDS-Site - POAM: January ‘25 #3063

wants to merge 1 commit into from

Conversation

cathybaptista
Copy link
Contributor

@cathybaptista cathybaptista commented Jan 13, 2025
edited
Loading

Summary

Updated vulnerable dependencies.

Breaking change

This is not a breaking change.

Related issue

USWDS-Team - POAM: January '25

Preview link

Preview link →

Major changes

Before:

3 vulnerabilities (3 moderate)

After:

3 vulnerabilities (3 moderate)

Testing and review

  1. Pull down and run npm install
  2. Confirm no installation errors
  3. Confirm no build errors
  4. Run npm run test
  5. Confirm no testing or linting errors
  6. Start local or visit preview link
  7. Confirm there are no visual regressions.

Dependency updates

Gem updates

Dependency name Old version New version
bigdecimal 3.1.8 3.1.9
ffi 1.17.0-arm64-darwin 1.17.1-arm64-darwin
google-protobuf 4.29.1-arm64-darwin 4.29.3-arm64-darwin
json 2.9.0 2.9.1
nokogiri 1.17.2-arm64-darwin 1.18.1-arm64-darwin
sass-embedded 1.83.0-arm64-darwin 1.83.1-arm64-darwin

Node updates

Dependency name Old version New version
postcss ^8.4.49 ^8.5.0
sass ^1.83.0 ^1.83.1
snyk ^1.1294.3 ^1.1295.0

@cathybaptista cathybaptista mentioned this pull request Jan 13, 2025
Open
7 tasks
@cathybaptista cathybaptista marked this pull request as ready for review January 13, 2025 23:52
@cathybaptista cathybaptista requested a review from a team as a code owner January 13, 2025 23:52
mahoneycm
mahoneycm previously approved these changes Jan 16, 2025
View reviewed changes
Copy link
Contributor

@mahoneycm mahoneycm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

  • No observed regressions
  • Install and tests run without error
  • No additional updates available

@mahoneycm mahoneycm dismissed their stale review January 22, 2025 18:12

New vulnerability popped up

@mahoneycm
Copy link
Contributor

@cathybaptista since we updated in compile, can we resolve this new undici vulnerability that's showing up now?

https://github.com/uswds/uswds-site/security/dependabot/92

@mahoneycm mahoneycm mentioned this pull request Jan 22, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mahoneycm mahoneycm mahoneycm left review comments

@heymatthenry heymatthenry Awaiting requested review from heymatthenry

@thisisdano thisisdano Awaiting requested review from thisisdano

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@cathybaptista @mahoneycm