v3 dependencies

[alexandrebodin]

What does it do?

Continues work started in #14725.

Why is it needed?

To fix some dep security vulnerabilities

How to test it?

yarn setup & run the getstarted

Related issue(s)/PR(s)

Let us know if this is related to any issue/pull request

[codecov]

Codecov Report

❗ No coverage uploaded for pull request base (releases/3.6.11@86f882b). Click here to learn what that means.
Patch has no changes to coverable lines.

❗ Current head 7215c92 differs from pull request most recent head ba3552d. Consider uploading reports for the commit ba3552d to get more accurate results

Additional details and impacted files

@@                Coverage Diff                 @@
##             releases/3.6.11   #14914   +/-   ##
==================================================
  Coverage                   ?   58.20%           
==================================================
  Files                      ?      185           
  Lines                      ?     6443           
  Branches                   ?     1404           
==================================================
  Hits                       ?     3750           
  Misses                     ?     2230           
  Partials                   ?      463           

Flag	Coverage Δ
front	∅ <0.00%> (?)
unit	58.20% <0.00%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

[derrickmehaffy]

Changelog

• Removed node 12 tests
• git-url-parse: 11.4.4 -> 13.1.0
• immer: ^8.0.1 -> 9.0.16
• koa-passport: 4.1.4 -> 5.0.0
• moment: ^2.29.1 -> ^2.29.4
• sanitize-html: 2.3.3 -> 2.7.2
• sharp: 0.29.0 -> 0.31.1
• package-json: 6.5.0 -> 7.0.0 (this may not fix all the vulns but we can't upgrade further as they have gone full ESM-only)
• Several nested dependencies updated as a result of these upgrades
• Decreased total number of vulnerabilities from ~430 to 392
  • v3.6.10: 10 Low | 131 Moderate | 233 High | 57 Critical
  • v3.6.11: 10 Low | 113 Moderate | 220 High | 49 Critical

Packages we will not upgrade in v3

Breaking changes

• swagger-ui-dist: Breaks application during upgrade, too much effort required to upgrade
• mongoose: Breaks application during upgrade, too much effort required to upgrade
• package-json: Converted to ESM only, breaking changes
• mailgun-js: Package no longer maintained, replacement has far too many breaking changes to backport updates in v4
• axios: Breaks application during upgrade, too much effort required to upgrade
• graphql-upload: Breaks application during upgrade, too much effort required to upgrade, package moved to ESM only
• koa-router: Breaks application during upgrade, too much effort required to upgrade
• apollo-server-koa: Breaks application during upgrade, too much effort required to upgrade

Exploitation not possible

• enzyme: Exploitation not possible in our use-case or in production deployments
• cheerio: Exploitation not possible in our use-case or in production deployments
• autoprefixer: Exploitation not possible in our use-case or in production deployments
• css-loader: Exploitation not possible in our use-case or in production deployments
• postcss: Exploitation not possible in our use-case or in production deployments
• markdown-it: Exploitation not possible in our use-case or in production deployments
• draft-js: Exploitation not possible in our use-case or in production deployments
• request: Exploitation not possible in our use-case or in production deployments
• node-schedule: Exploitation not possible in our use-case or in production deployments
• mini-css-extract-plugin: Exploitation not possible in our use-case or in production deployments
• file-loader: Exploitation not possible in our use-case or in production deployments
• babel-eslint: Exploitation not possible in our use-case or in production deployments
• eslint-import-resolver-node: Exploitation not possible in our use-case or in production deployments
• tsconfig-paths: Exploitation not possible in our use-case or in production deployments
• babel-loader: Exploitation not possible in our use-case or in production deployments
• yargs: Exploitation not possible in our use-case or in production deployments
• webpack-dev-server: Exploitation not possible in our use-case or in production deployments
• webpack: Exploitation not possible in our use-case or in production deployments
• html-webpack-plugin: Exploitation not possible in our use-case or in production deployments
• webpack-cli: Exploitation not possible in our use-case or in production deployments
• inquirer: Exploitation not possible in our use-case or in production deployments
• friendly-errors-webpack-plugin: Exploitation not possible in our use-case or in production deployments
• node-fetch: Only used in limited places in the code-base that bad actors cannot interact with

Repo Management

• husky: Doesn't impact projects, only repo management
• stylelint: Doesn't impact projects, only repo management
• jest-circus: Doesn't impact projects, only repo management
• jest-cli: Doesn't impact projects, only repo management
• jest: Doesn't impact projects, only repo management
• lerna: Doesn't impact projects, only repo management
• snyk: Doesn't impact projects, only repo management

No longer maintained

• ejs: Package (strapi-hook-ejs) isn't used and isn't recommended for usage
• pkgcloud: Only used by the rackspace provider which we have cut all ties with

[derrickmehaffy]

LGTM

[derrickmehaffy]

(Thanks Alex lol)