chore: Clean up deps and npm audit issues #2058
Conversation
These haven't been used directly by the design package for awhile.. probably since the big design token rewrite. Also removed from the root package.json as it isn't a direct dependency.. storybook uses it as a sub dep.
jdeichert
changed the title
jdeichert
changed the title
Deploying atlantis with
|
| Latest commit: |
6d2c97c
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://330880bc.atlantis.pages.dev |
| Branch Preview URL: | https://cleanup-bumps-deps-attempt2.atlantis.pages.dev |
jdeichert
force-pushed
the
CLEANUP/bumps-deps-attempt2
branch
from
854958c to
a8820f2
Compare
| width: string | number; | ||
| height: string | number; | ||
| width: number; | ||
| height: number; |
There was a problem hiding this comment.
After upgrading react-native, it was complaining about these prop types on our Icon component. Removing string fixed it.
Notably our components-native package uses the version of react-native inside JM (it's a peer dep) which is already on 0.73.9. This means this should have zero impact as we haven't had any reported issues with icons yet.
jdeichert
force-pushed
the
CLEANUP/bumps-deps-attempt2
branch
from
5fea461 to
7bc23ad
Compare
| "main": "src/index.ts", | ||
| "scripts": {}, | ||
| "devDependencies": { | ||
| "react": "^16.8.6" |
There was a problem hiding this comment.
Wasn't necessary thankfully 😅
| "react-intl": "^6.4.2", | ||
| "react-native": "^0.71.7", | ||
| "react-native": "0.73.9", |
There was a problem hiding this comment.
Upgraded to match JM's version. Not using the caret as I wanted to keep it in sync with JM instead of auto bumping patch versions.
| @@ -134,9 +132,8 @@ | |||
| "react": "^18.2.0", | |||
| "react-dom": "18.2.0", | |||
| "react-ga4": "^2.1.0", | |||
| "react-hook-form": "^7.30.0", | |||
There was a problem hiding this comment.
Unnecessary at the root level, it's a dep in both components and components-native
| @@ -125,7 +124,6 @@ | |||
| "lodash": "^4.17.21", | |||
| "metro-react-native-babel-preset": "^0.76.0", | |||
| "plop": "^2.5.3", | |||
| "postcss": "^8.4.40", | |||
There was a problem hiding this comment.
Removed as it's not directly used... Storybook imports it as a dep.
| @@ -69,26 +69,25 @@ | |||
| "@jobber/generators": "*", | |||
| "@jobber/stylelint-config": "*", | |||
| "@react-native-community/datetimepicker": "^7.1.0", | |||
| "@storybook/addon-actions": "7.6.11", | |||
There was a problem hiding this comment.
Upgraded more storybook-related deps to match the recently merged version bump.
| "@types/react-native-uuid": "^1.4.0", | ||
| "metro-react-native-babel-preset": "^0.76.0", | ||
| "react-test-renderer": "^18.2.0", | ||
| "typescript": "^4.9.5" |
There was a problem hiding this comment.
Typescript is shared at the root now, removed from all individual packages.
| @@ -400,7 +400,6 @@ function InputTextInternal( | |||
| styleOverride?.inputText, | |||
| loading && loadingType === "glimmer" && { color: "transparent" }, | |||
| ]} | |||
| // @ts-expect-error - does exist on 0.71 and up https://github.com/facebook/react-native/pull/39281 | |||
There was a problem hiding this comment.
No longer necessary as we bumped react-native to match JM
| "@testing-library/jest-dom": "^5.16.5", | ||
| "@testing-library/react": "^14.0.0", | ||
| "@testing-library/react-hooks": "^7.0.2", | ||
| "@testing-library/user-event": "^14.5.1", |
There was a problem hiding this comment.
Shared at the root package.json
| "postcss": "^8.4.40", | ||
| "postcss-calc": "^10.0.0", | ||
| "postcss-cli": "^11.0.0", | ||
| "postcss-import": "^16.1.0", |
There was a problem hiding this comment.
These haven't been used directly by the design package for awhile.. probably since the big design token rewrite.
jdeichert
force-pushed
the
CLEANUP/bumps-deps-attempt2
branch
from
8dbb845 to
b3285a4
Compare
`npm i --legacy-peer-deps=true` and then another `npm i`
npm update express npm update path-to-regexp
npm update @nrwl/devkit npm update npm-registry-fetch npm update make-fetch-happen npm update socks-proxy-agent npm update socks
npm update nx
Fixes another high sev issue
| @@ -28,7 +28,6 @@ | |||
| "lint:js": "eslint --ext .js,.jsx,.ts,.tsx . --ignore-pattern node_modules/ --ignore-pattern 'packages/design/src/assets/**'", | |||
| "lint:markdown": "prettier --check '**/*.{md,mdx}' --write", | |||
| "pack": "npm run bootstrap && npm pack -w", | |||
| "plop": "echo '🚧 `npm run plop` is now `npm run generate`'", | |||
There was a problem hiding this comment.
Upgraded plop to v4. This ^ warning has probably been around long enough, so I removed it. I can add it back if anyone depends on it 👀
| @@ -124,19 +121,16 @@ | |||
| "lint-staged": "^9.4.2", | |||
| "lodash": "^4.17.21", | |||
| "metro-react-native-babel-preset": "^0.76.0", | |||
| "plop": "^2.5.3", | |||
There was a problem hiding this comment.
Upgraded to v4 (a few lines below)
| "postcss-import": "^12.0.1", | ||
| "postcss-loader": "^4.2.0", | ||
| "postcss-preset-env": "^8.3.0", | ||
| "prettier": "^2.4.1", | ||
| "prop-types": "^15.7.2", |
| "lerna": { | ||
| "semver": "^5.7.2 || ^6.3.1 || ^7.5.2", | ||
| "make-dir": { | ||
| "semver": "^6.3.1" | ||
| } | ||
| }, |
There was a problem hiding this comment.
semver is one of our high severity issues (see npm audit on master). I upgraded it within a bunch of subdeps, but lerna was difficult and depends on an exact version (they are not using ^), so the only way to override it is like this.
I'll publish a pre-release to verify lerna is still working 👍
There was a problem hiding this comment.
Just a comment, we may want to make a ticket for updating lerna / remove it if we want to transition later but that is a not in this PR thing
jdeichert
changed the title
|
Published Pre-release for 6d2c97c with versions: To install the new version(s) for Web run: To install the new version(s) for Mobile run: |
| @@ -109,7 +107,6 @@ | |||
| "eslint": "^8.36.0", | |||
| "eslint-formatter-codeframe": "^7.32.1", | |||
| "eslint-import-resolver-alias": "^1.1.2", | |||
| "eslint-plugin-jest": "^22.6.4", | |||
There was a problem hiding this comment.
Used inside packages/eslint-config/package.json
|
Seeing a bug on the home page when I use the pre-release on Jobber Frontend. I removed the pre-release and re-added it so I am confident the bug is related to the changes. |
|
@Aiden-Brine I'm not seeing that 🤔 I tested both light and dark mode. 
Are you clearing your vite cache between rebuilds by chance? |
| @@ -448,10 +448,6 @@ | |||
| "@rollup/plugin-commonjs": "^25.0.7", | |||
| "@rollup/plugin-node-resolve": "15.2.3", | |||
| "@rollup/plugin-typescript": "^11.1.6", | |||
| "@testing-library/jest-dom": "^5.16.5", | |||
There was a problem hiding this comment.
Changes from the actual bundled output of components is just file renames with different hashes and updates to imports to go the the renamed files
| @@ -111,8 +111,8 @@ function buildSVGStyle( | |||
| const iconSizeStyle = iconSizes.tokens[size]; | |||
| const svgStyle: { | |||
| fill?: string; | |||
| width: string | number; | |||
| height: string | number; | |||
| width: number; | |||
There was a problem hiding this comment.
Checking the compiled output for design it is the exact same except for this but there are no typescript errors caused by this change
| @@ -400,7 +400,6 @@ function InputTextInternal( | |||
| styleOverride?.inputText, | |||
| loading && loadingType === "glimmer" && { color: "transparent" }, | |||
| ]} | |||
| // @ts-expect-error - does exist on 0.71 and up https://github.com/facebook/react-native/pull/39281 | |||
| readOnly={readonly} | |||
There was a problem hiding this comment.
This is the only diff in the bundle output but there are no typescript errors caused by this
|
@Aiden-Brine I was unable to see this. My assumption is that some file is being caused try cleaning all of node modules and trying a new install. |
Motivations
This PR cleans up a number of High Severity audit issues (from 19, down to 1). To achieve this, I tried to make the minimum amount of changes required. Along the way, I attempted to clean up some old, unnecessary dependencies as well. Check out my inline comments for more context.
This also closes a number of open Dependabot PRs:
Changes
Changed
Removed
Security
Testing
To test this:
npm run generateto ensure it still worksChanges can be tested via Pre-release