New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Some security updates #792
base: main
Are you sure you want to change the base?
Conversation
018f0ec
to
9605f7f
Compare
Codecov Report
📣 This organization is not using Codecov’s GitHub App Integration. We recommend you install it so Codecov can continue to function properly for your repositories. Learn more Additional details and impacted files@@ Coverage Diff @@
## main #792 +/- ##
==========================================
- Coverage 98.29% 97.88% -0.41%
==========================================
Files 50 53 +3
Lines 1052 1080 +28
==========================================
+ Hits 1034 1057 +23
- Misses 18 23 +5
Continue to review full report in Codecov by Sentry.
|
ab352b3
to
5508ad0
Compare
* 14.x is the min supported/tested version. Reflect that everywhere * Update README * Update package files * Update package version to current release
* Move single OS out of matrix * Add 20.x to node versions * Add 20.x-exclusive `codecov` field to matrix * Update actions/checkout to v3 * Remove unused windows-only step * Update actions/setup-node to v3 * Remove actions/setup-node name * Move CI env to job level * Split out monolithic build step into different runs * Update codecov/codecov-action to v3 * Update codecov/codecov-action conditional to `codecov`
* Upgrade some packages * cosmiconfig * mocha * Update lockfile (transient deps)
* Update package script wrapper * Remove file extension restriction * Ignore unknown files * Add a graphql file to ignores * Run formatter. Newly covered * .babelrc * *.jsx * *.tsx? * *.vue
5508ad0
to
46ba4d9
Compare
bc6b10f
to
f868465
Compare
@ed-flanagan There are some great updates here but I'm thinking perhaps splitting this up in a couple of PRs would help facilitate review and release. For example, bumping the Here's how I would split this up:
What do you think? |
Broke out non-breaking dependency updates and audit fix into #801 . |
Agree that this PR could be split into smaller chunks to help reviewability. |
A GitHub security advisory for
yaml
12 (transitive dependency ofcosmiconfig
< 8
3) originally prompted me to draft this PR. However, sometime after drafting, the security advisory has further constrained the effected version boundary4, which removes the usedcosmiconfig
from scope.Nevertheless, I had to configure Actions and such to trigger on my fork and figured I'd upstream the changes I made. Feel free to take/ignore whatever. I tried to chunk discrete changes into each commit. Felt they may be useful, besides the
npm audit
changes, largely just refactors and using some extra GitHub featurescodecov
field to matrix (feel this is a more extensible conditional matrix pattern5)codecov
npm audit
cosmiconfig
(uses olderyaml
)mocha
Footnotes
https://github.com/advisories/GHSA-f9xv-q969-pqx4 ↩
https://www.npmjs.com/package/yaml ↩
https://github.com/cosmiconfig/cosmiconfig/blob/main/CHANGELOG.md#800 ↩
https://github.com/github/advisory-database/commit/0852ba747a815ccac173afe1c96360f33125bc04 ↩
https://docs.github.com/en/actions/using-jobs/using-a-matrix-for-your-jobs#example-expanding-configurations ↩
https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-nodejs#using-the-nodejs-starter-workflow ↩