Fix significantly outdated dependencies and security vulnerabilities#22
Fix significantly outdated dependencies and security vulnerabilities#22agrohs wants to merge 9 commits intomobify:developfrom
Conversation
|
As per my other note on #19, I'd also suggest adding something like Renovate(bot) to this repo go forward. It will automatically create pull requests for manual review/consideration each time one of the dependencies in this project has a version update. This can help avoid major updates to a bunch of packages all in one commit/PR. Just my 2 cents! |
|
Well that's cool 🎈 – thanks @agrohs! I'll see if I can find time to review over the next week two weeks 🕐 |
|
As an aside, I have a separate PR ready to go that brings in generation of, storage and validation/checking of oAuth tokens for oAuth required requests to the Shop API (using it locally within our project via the fork for now). It is branched starting from the above new packages/PR as the starting point so will keep it in my fork and wait to submit that PR till this one is reviewed/cleared but just wanted to send a heads up! |
@agrohs – well that also sounds pretty cool :) We use this package both client & server-side (in browser & in Node) – as a side effect of that, we also manage JWTs outside the scope of this package. I'd be really interested in seeing what you're doing and I think it would be valuable to document strategies to persist tokens but we'd probably have to put our thinking caps on a bit around whether we'd accept a patch that added storage. |
|
The storage persistence actually already takes into account both running client and server side actually (based on a similar implementation for another API we work with). It has pluggable storage factories and contains 2 implementations (one for in-memory storage and one for local storage that uses node-localstorage if running server side or the browser’s local storage if being used client side)!
… On May 24, 2019, at 6:29 PM, John Boxall ***@***.***> wrote:
generation of, storage and validation/checking of oAuth tokens for oAuth required requests to the Shop API
@agrohs <https://github.com/agrohs> – well that also sounds pretty cool :)
We use this package both client & server-side (in browser & in Node) – as a side effect of that, we also manage JWTs outside the scope of this package.
I'd be really interested in seeing what you're doing and I think it would be valuable to document strategies to persist tokens but we'd probably have to put our thinking caps on a bit around whether we'd accept a patch that added storage.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub <#22?email_source=notifications&email_token=AABHHBYSERCMVP3TS3CNH2TPXB25TA5CNFSM4HPIOPHKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODWGYGII#issuecomment-495813409>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AABHHB7RFQ7KNOUHXFDKVTDPXB25TANCNFSM4HPIOPHA>.
|
|
Just checking in on this PR? |
3 participants
Description
This PR includes updates to several outdated dependencies (including a few w significant security vulnerabilities in the old versions).
Fixes #19
Type of change
Changes
.babelrc, rollup.config.js and package.json script updates related the following package updates.
Minor versions updates:
"atob": "^2.0.3">"^2.1.2"
"btoa": "^1.1.2">"^1.2.1"
"eslint-import-resolver-webpack": "^0.8.3">"eslint-import-resolver-webpack": "^0.11.1"
"eslint-plugin-import": "2.3.0">"eslint-plugin-import": "^2.17.2"
"express": "^4.16.2">"express": "^4.17.0"
"jsdoc": "^3.4.3">"jsdoc": "^3.6.2"
"mobify-code-style": "2.8.1">"mobify-code-style": "^2.8.4"
Major version updates:
"superagent": "3.5.2">"^5.0.5"
"babel-cli": "^6.24.1">"@babel/cli": "^7.4.4"
"babel-core": "6.18.0">"@babel/core": "^7.4.5"
"babel-preset-env": "^1.6.1">"@babel/preset-env": "^7.4.5"
"eslint": "3.19.0">"eslint": "^5.16.0"
"mocha": "~2.3.4">"mocha": "^6.1.4"
"rollup": "^0.49.3">"rollup": "^1.12.3"
"rollup-plugin-babel": "^3.0.2">"rollup-plugin-babel": "^4.3.2"
"rollup-plugin-commonjs": "^8.2.6">"rollup-plugin-commonjs": "^10.0.0"
"rollup-plugin-node-resolve": "^3.0.0">"rollup-plugin-node-resolve": "^5.0.0"
"sinon": "1.17.3">"sinon": "^7.3.2"
Remove dependencies (should no longer be needed):
"babel-plugin-external-helpers": "^6.22.0"
Additional dependencies (required as peer for updated packages above - or for testing):
"@babel/register": "^7.4.4"
"webpack": "^4.32.2"
How to test this PR?
Ran full test suite using
npm run test(including updating from test config in package.json from babel-core/register to @babel/register)IMPORTANT: The following 2 existing tests failed due to coding issues in existing test (CustomersApi.spec.js) that are now flagged by the newer/updated version of "mocha" (Error: Resolution method is overspecified. Specify a callback or return a Promise). I have gone ahead and fixed these two issues but would love an extra pair of eyes on them as they are the only changes I needed to make to the tests in order to pass.
FAILED:
UPDATED/PASSED:
NOTE: there are also few existing tests that throw an UnhandledPromiseRejectionWarning and should be addressed in the core code, but they appeared in existing test suite run before making any changes
Checklist:
npm run lint)README.mdandCHANGELOG.md)npm test)