Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: security vulnerability issues #26

Closed
wants to merge 3 commits into from
Closed

fix: security vulnerability issues #26

wants to merge 3 commits into from

Conversation

AkhilJ321
Copy link

Used npm audit fix to resolve low priority issues.
1.Fixed issue for 'semver' by creating a override

Issue Related: #21

@AkhilJ321
Copy link
Author

@garg3133 can you review this?

garg3133
garg3133 reviewed Feb 29, 2024
View reviewed changes
package.json Outdated
Comment on lines 20 to 22
"overrides": {
"semver": "^7.5.3"
},
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of using this, just install the latest version of nightwatch. That should fix it.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't get like install latest nightwatch version?
It will be according to version mentioned in package.json
can you help out a little for this

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, just do npm i -D nightwatch@latest and npm un -D @types/nightwatch (types are automatically included in the latest version of Nightwatch).

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you , I have added the changes with resolving for one more moderate package issue

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After this severe issues are remaining ,on updating which breaking changes are occuring

@garg3133
Copy link
Member

garg3133 commented Mar 5, 2024

@AkhilJ321 What did you do for "update debug package to 4.3.1 for adkit package."? I don't see any change related to the debug package.

@AkhilJ321
Copy link
Author

@garg3133 ,debug package was related to a specific dependency , so I made changes in the package.lock.json for that package.

@AkhilJ321
Copy link
Author

"adbkit-apkreader": { "version": "3.2.0", "resolved": "https://registry.npmjs.org/adbkit-apkreader/-/adbkit-apkreader-3.2.0.tgz", "integrity": "sha512-QwsxPYCqWSmCAiW/A4gq0eytb4jtZc7WNbECIhLCRfGEB38oXzIV/YkTpkOTQFKSg3S4Svb6y///qOUH7UrWWw==", "requires": { "bluebird": "^3.4.7", "debug": "~4.1.1", "debug": "~4.3.1", "yauzl": "^2.7.0" },

@garg3133
Copy link
Member

garg3133 commented Mar 6, 2024

@AkhilJ321 We should never make changes to package-lock.json directly, the changes in package-lock.json should always be auto-generated. To fix the dependencies issue with a particular package, you can try to find the main dependency which is using that particular package by looking through package-lock.json, and then update that main dependency in package.json (after making sure that the new version is compatible with the project).

On a side note, the changes done in package-lock.json would anyway won't matter for an end user because package-lock.json is not shipped with the project.

The next steps here would be to create a new PR (from a fresh branch) and the for every step you follow, create a separate commit for it. For ex. one commit for just npm run audit --fix, one for updating Nightwatch dependency, etc.

@AkhilJ321
Copy link
Author

Okay,thank you for the reviews .I will make a PR soon

@garg3133 garg3133 closed this May 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@garg3133 garg3133 garg3133 left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@AkhilJ321 @garg3133