Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: Update deps with reported security vulnerabilities (first pass) #742

Merged
merged 3 commits into from
Nov 4, 2024
Merged

chore: Update deps with reported security vulnerabilities (first pass) #742

merged 3 commits into from
Nov 4, 2024

Conversation

arcoraven
Copy link
Contributor

@arcoraven arcoraven commented Oct 29, 2024
edited by pr-codex bot
Loading

PR-Codex overview

This PR updates the dependencies in the package.json and yarn.lock files, including major version upgrades for various packages, which may enhance functionality, security, and performance.

Detailed summary

  • Updated @aws-sdk/client-kms from ^3.398.0 to ^3.679.0
  • Updated @bull-board/fastify from ^5.21.1 to ^5.23.0
  • Updated @fastify/cookie from ^8.3.0 to ^9.2.0
  • Updated body-parser from ^1.20.2 to ^1.20.3
  • Updated dd-trace from ^5.19.0 to ^5.23.0
  • Updated fastify from ^4.15.0 to ^4.28.1
  • Updated @types/node and other @smithy dependencies to newer versions
  • Resolved conflicts and improved dependency versions across various packages.

The following files were skipped due to too many changes: yarn.lock

✨ Ask PR-Codex anything about this PR by commenting with /codex {your question}

arcoraven
arcoraven commented Oct 29, 2024
View reviewed changes
package.json
"@bull-board/fastify": "^5.21.1",
"@cloud-cryptographic-wallet/cloud-kms-signer": "^0.1.2",
"@cloud-cryptographic-wallet/signer": "^0.0.5",
"@fastify/basic-auth": "^5.1.1",
"@fastify/cookie": "^8.3.0",
"@fastify/cookie": "^9.2.0",
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the only major version bump and impacts thirdweb-dev/auth:
=> Found "@thirdweb-dev/auth#@fastify/[email protected]"

I tested dashboard auth and access token auth to confirm there were no breaking changes.

@socket-security Socket Security
Copy link

socket-security bot commented Oct 29, 2024
edited
Loading

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
npm/@aws-crypto/[email protected] None +5 272 kB aws-crypto-tools-ci-bot
npm/@aws-crypto/[email protected] None 0 28.4 kB aws-crypto-tools-ci-bot
npm/@aws-crypto/[email protected] None 0 30.7 kB aws-crypto-tools-ci-bot
npm/@aws-sdk/[email protected] None 0 1.69 MB aws-sdk-bot
npm/@aws-sdk/[email protected] None 0 283 kB amzn-oss, aws-sdk-bot, kuhe, ...2 more
npm/@aws-sdk/[email protected] None 0 201 kB amzn-oss, aws-sdk-bot, kuhe, ...2 more
npm/@aws-sdk/[email protected] None 0 450 kB amzn-oss, aws-sdk-bot, kuhe, ...2 more
npm/@aws-sdk/[email protected] None 0 78.3 kB amzn-oss, aws-sdk-bot, kuhe, ...2 more
npm/@aws-sdk/[email protected] None 0 19.9 kB amzn-oss, aws-sdk-bot, kuhe, ...2 more
npm/@aws-sdk/[email protected] None +1 95.2 kB amzn-oss, aws-sdk-bot, kuhe, ...2 more
npm/@aws-sdk/[email protected] None 0 50.2 kB amzn-oss, aws-sdk-bot, kuhe, ...2 more
npm/@aws-sdk/[email protected] None 0 36.4 kB amzn-oss, aws-sdk-bot, kuhe, ...2 more
npm/@aws-sdk/[email protected] shell 0 24.2 kB amzn-oss, aws-sdk-bot, kuhe, ...2 more
npm/@aws-sdk/[email protected] None 0 36 kB amzn-oss, aws-sdk-bot, kuhe, ...2 more
npm/@aws-sdk/[email protected] None 0 32.5 kB aws-sdk-bot
npm/@aws-sdk/[email protected] None 0 19.1 kB amzn-oss, aws-sdk-bot, kuhe, ...2 more
npm/@aws-sdk/[email protected] None 0 19.5 kB amzn-oss, aws-sdk-bot, kuhe, ...2 more
npm/@aws-sdk/[email protected] None 0 18.8 kB amzn-oss, aws-sdk-bot, kuhe, ...2 more
npm/@aws-sdk/[email protected] None 0 36.6 kB amzn-oss, aws-sdk-bot, kuhe, ...2 more
npm/@aws-sdk/[email protected] None 0 24.3 kB amzn-oss, aws-sdk-bot, kuhe, ...2 more
npm/@aws-sdk/[email protected] None 0 35.3 kB amzn-oss, aws-sdk-bot, kuhe, ...2 more
npm/@aws-sdk/[email protected] None 0 51.9 kB amzn-oss, aws-sdk-bot, kuhe, ...2 more
npm/@aws-sdk/[email protected] None 0 50.3 kB amzn-oss, aws-sdk-bot, kuhe, ...2 more
npm/@aws-sdk/[email protected] None 0 19.7 kB aws-sdk-bot
npm/@aws-sdk/[email protected] None 0 21.7 kB aws-sdk-bot
npm/@bull-board/[email protected] eval 0 65.9 kB felixmosh
npm/@bull-board/[email protected] None 0 12.5 kB felixmosh
npm/@bull-board/[email protected] None 0 3.36 MB felixmosh
npm/@datadog/[email protected] Transitive: environment, filesystem +1 18.7 MB datadog
npm/@datadog/[email protected] eval, filesystem 0 2.51 MB datadog
npm/@datadog/[email protected] None 0 12.3 MB datadog
npm/@fastify/[email protected] None 0 95 kB matteo.collina
npm/@grpc/[email protected] Transitive: filesystem +1 2.06 MB murgatroid99
npm/@smithy/[email protected] None 0 19.7 kB smithy-team, trivikr-aws
npm/@smithy/[email protected] Transitive: environment +3 339 kB smithy-team
npm/@smithy/[email protected] None +2 203 kB smithy-team, trivikr-aws
npm/@smithy/[email protected] environment, network 0 63 kB smithy-team
npm/@smithy/[email protected] network 0 33.8 kB smithy-team
npm/@smithy/[email protected] None 0 18 kB smithy-team
npm/@smithy/[email protected] None 0 16.1 kB smithy-team, trivikr-aws
npm/@smithy/[email protected] None 0 18.5 kB smithy-team, trivikr-aws
npm/@smithy/[email protected] Transitive: environment, filesystem +2 124 kB smithy-team, trivikr-aws
npm/@smithy/[email protected] None +2 294 kB smithy-team, trivikr-aws
npm/@smithy/[email protected] None 0 43 kB smithy-team, trivikr-aws
npm/@smithy/[email protected] network +1 110 kB smithy-team
npm/@smithy/[email protected] None 0 16.4 kB smithy-team
npm/@smithy/[email protected] None 0 23.1 kB smithy-team
npm/@smithy/[email protected] None 0 96.1 kB smithy-team
npm/@smithy/[email protected] None 0 23.4 kB smithy-team, trivikr-aws
npm/@smithy/[email protected] None 0 25.1 kB smithy-team, trivikr-aws
npm/@smithy/[email protected] None 0 77.3 kB smithy-team
npm/[email protected] network +3 350 kB ulisesgascon
npm/[email protected] None +1 16.9 kB defunctzombie, dougwilson, ulisesgascon
npm/[email protected] environment, eval, filesystem, network, shell, unsafe +2 2.27 MB datadog
npm/[email protected] None 0 172 kB amitgupta
npm/[email protected] eval 0 386 kB matteo.collina
npm/[email protected] unsafe 0 113 kB nodejs-foundation
npm/[email protected] None 0 69.2 kB fent
npm/[email protected] None 0 7.94 kB jsumners
npm/[email protected] None +1 717 kB gregthegreek, jdevcs, luu-alex, ...2 more
npm/[email protected] None 0 957 kB luu-alex

🚮 Removed packages: npm/@aws-crypto/[email protected], npm/@aws-crypto/[email protected], npm/@aws-crypto/[email protected], npm/@aws-crypto/[email protected], npm/@aws-crypto/[email protected], npm/@aws-sdk/[email protected], npm/@aws-sdk/[email protected], npm/@aws-sdk/[email protected], npm/@aws-sdk/[email protected], npm/@aws-sdk/[email protected], npm/@aws-sdk/[email protected], npm/@aws-sdk/[email protected], npm/@aws-sdk/[email protected], npm/@aws-sdk/[email protected], npm/@aws-sdk/[email protected], npm/@aws-sdk/[email protected], npm/@aws-sdk/[email protected], npm/@aws-sdk/[email protected], npm/@aws-sdk/[email protected], npm/@aws-sdk/[email protected], npm/@aws-sdk/[email protected], npm/@aws-sdk/[email protected], npm/@aws-sdk/[email protected], npm/@aws-sdk/[email protected], npm/@aws-sdk/[email protected], npm/@aws-sdk/[email protected], npm/@aws-sdk/[email protected], npm/@bull-board/[email protected], npm/@bull-board/[email protected], npm/@bull-board/[email protected], npm/@datadog/[email protected], npm/@datadog/[email protected], npm/@datadog/[email protected], npm/@fastify/[email protected], npm/@grpc/[email protected], npm/@smithy/[email protected], npm/@smithy/[email protected], npm/@smithy/[email protected], npm/@smithy/[email protected], npm/@smithy/[email protected], npm/@smithy/[email protected], npm/@smithy/[email protected], npm/@smithy/[email protected], npm/@smithy/[email protected], npm/@smithy/[email protected], npm/@smithy/[email protected], npm/@smithy/[email protected], npm/@smithy/[email protected], npm/@smithy/[email protected], npm/@smithy/[email protected], npm/@smithy/[email protected], npm/@smithy/[email protected], npm/@smithy/[email protected], npm/@smithy/[email protected], npm/@smithy/[email protected], npm/@smithy/[email protected], npm/@smithy/[email protected], npm/@smithy/[email protected], npm/@smithy/[email protected], npm/@smithy/[email protected], npm/@smithy/[email protected], npm/@smithy/[email protected], npm/@smithy/[email protected], npm/@smithy/[email protected], npm/@smithy/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected]

View full report↗︎

joaquim-verges
joaquim-verges reviewed Oct 29, 2024
View reviewed changes
package.json
"cookie": "^0.5.0",
"cookie-parser": "^1.4.6",
"cookie": "^0.7.0",
"cookie-parser": "^1.4.7",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i would recommend using strict versions here rather than ^ ones. you never know what patch update is gonna get sneaked in there otherwise

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm I think this is a mixed opinion, will ping the channel for more thoughts.

Updating minor versions gets us security/performance improvements, but you're right it can introduce unintentional breaking changes.

@arcoraven arcoraven merged commit 9877b35 into main Nov 4, 2024
5 checks passed
@arcoraven arcoraven deleted the ph/updateDeps branch November 4, 2024 04:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joaquim-verges joaquim-verges joaquim-verges left review comments

@d4mr d4mr d4mr approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@arcoraven @joaquim-verges @d4mr