aio-cli icon indicating copy to clipboard operation
aio-cli copied to clipboard
verified publisher icon adobe

fix: update package-lock for high severity items

Open shazron opened this issue 1 year ago • 3 comments

fixes #617

Description

Only moderate items remain:

$ npm audit
# npm audit report

axios  0.8.1 - 0.27.2
Severity: moderate
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
fix available via `npm audit fix --force`
Will install @adobe/[email protected], which is a breaking change
node_modules/axios
  @adobe/aio-lib-console-project-installation  *
  Depends on vulnerable versions of axios
  node_modules/@adobe/aio-lib-console-project-installation
  @adobe/aio-lib-templates  *
  Depends on vulnerable versions of axios
  node_modules/@adobe/aio-lib-templates
    @adobe/aio-cli-plugin-app  9.2.0-pre.2022-09-27.805ee90c || >=10.0.0
    Depends on vulnerable versions of @adobe/aio-lib-templates
    node_modules/@adobe/aio-cli-plugin-app
    @adobe/aio-cli-plugin-app-templates  *
    Depends on vulnerable versions of @adobe/aio-lib-console-project-installation
    Depends on vulnerable versions of @adobe/aio-lib-templates
    node_modules/@adobe/aio-cli-plugin-app-templates

5 moderate severity vulnerabilities

Types of changes

  • [X] Bug fix (non-breaking change which fixes an issue)
  • [ ] New feature (non-breaking change which adds functionality)
  • [ ] Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

  • [X] I have signed the Adobe Open Source CLA.
  • [ ] My code follows the code style of this project.
  • [ ] My change requires a change to the documentation.
  • [ ] I have updated the documentation accordingly.
  • [X] I have read the CONTRIBUTING document.
  • [ ] I have added tests to cover my changes.
  • [X] All new and existing tests passed.

shazron avatar May 14 '24 11:05 shazron

⚠️

  1. ~npm run gen-health fails. (All)~ FIXED
  2. ~npm run postpack fails (Windows, rm does not exist)~ FIXED
  3. ~npm run unlink fails (Windows, rm does not exist)~ defer to new issue, may be irrelevant. see #618
  4. ~npm run link fails (are we doing linking on Windows?)~ defer to new issue, may be irrelevant. see #618

shazron avatar May 14 '24 11:05 shazron

~codecov needs to be updated with v4 and using the codecov token:~

    - name: upload coverage
      if: success()
      uses: codecov/codecov-action@v4
      with:
        name: ${{ runner.os }} node.js ${{ matrix.node-version }}
        token: ${{ secrets.CODECOV_TOKEN }}
        fail_ci_if_error: false

updated

shazron avatar May 14 '24 11:05 shazron

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Project coverage is 100.00%. Comparing base (91824d7) to head (3c5a06c). Report is 1 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff            @@
##            master      #616   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files            5         5           
  Lines          238       238           
  Branches        47        47           
=========================================
  Hits           238       238

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

codecov[bot] avatar May 14 '24 12:05 codecov[bot]