Skip to content

Upgrade Dependencies to Resolve Deprecations, Conflicts, and Security Vulnerabilities #401

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
julioest opened this issue Jan 29, 2025 · 3 comments
Open

Upgrade Dependencies to Resolve Deprecations, Conflicts, and Security Vulnerabilities #401

julioest opened this issue Jan 29, 2025 · 3 comments
Assignees
@julioest
Labels
Task

Comments

@julioest
Copy link
Collaborator

julioest commented Jan 29, 2025
edited
Loading

Overview

Our project is facing npm deprecation warnings, dependency conflicts, and security vulnerabilities. Resolving these issues is essential for maintaining stability, security, and long-term maintainability.

Issues Identified

Deprecation Warnings

  • querystring@0.2.0: Replace with URLSearchParams.
  • svgo@1.3.2: Upgrade to svgo@2.x.x.
  • chokidar@2.1.8: Upgrade to chokidar@3.x.x.
  • Additional Deprecated Packages: Includes urix, stable, uuid, and more.

Dependency Conflicts

  • Example: Conflicts between eslint@6.8.0 and @typescript-eslint/parser@1.13.0.
  • Impact: May cause unexpected behavior or build failures.

Security Vulnerabilities

  • Summary:
    • Low: 5
    • Moderate: 61
    • High: 35
    • Critical: 1
  • Recommendations:
    • Run npm audit fix for non-breaking fixes.
    • Use npm audit fix --force with caution for breaking changes.
    • Manually resolve remaining issues.

Proposed Actions

Upgrade Deprecated Dependencies

  • Replace querystring with URLSearchParams.
  • Upgrade to svgo@2.x.x and chokidar@3.x.x.
  • Update other deprecated packages as necessary.

Resolve Dependency Conflicts

  • Align @typescript-eslint/parser and eslint versions to avoid conflicts.
  • Address other dependency issues as identified.

Address Security Vulnerabilities

  • Apply automated fixes with npm audit fix.
  • Manually update or replace packages with unresolved vulnerabilities.
  • Test the application to ensure no regressions.

Acceptance Criteria

  • Deprecated packages are upgraded or replaced.
  • Conflicts are resolved with compatible dependencies.
  • Security vulnerabilities are significantly reduced.
  • The project builds and runs without warnings or issues.
  • All functionalities are tested and verified.
  • Documentation reflects updated dependencies and usage.

Additional Information

https://github.com/boostorg/website-v2-docs/actions/runs/13034378117/job/36361062783?pr=400#step:5:27
@julioest julioest self-assigned this Jan 29, 2025
@julioest julioest mentioned this issue Jan 29, 2025
Closed
@rbbeeston rbbeeston added the Task label Jan 30, 2025
@rbbeeston rbbeeston moved this to Accepted in website-v2 Jan 30, 2025
@julioest julioest moved this from Accepted to In Progress in website-v2 Jan 30, 2025
@sdarwin
Copy link
Collaborator

sdarwin commented Feb 6, 2025

We may want to track this open merge request for a few days and see how they resolve it, or use it as a reference. The submitter there is updating antora-ui packages.

https://gitlab.com/antora/antora-ui-default/-/merge_requests/187

@julioest
Copy link
Collaborator Author

julioest commented Feb 6, 2025

Oh, this is great!

@rbbeeston rbbeeston moved this from In Progress to On Hold in website-v2 Feb 10, 2025
@julioest
Copy link
Collaborator Author

https://gitlab.com/antora/antora-ui-default/-/merge_requests/187

Changes were not merged here for merge request 187.

Here's the new one to track:
https://gitlab.com/antora/antora-ui-default/-/merge_requests/189

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@julioest julioest

Labels
Task
Projects
website-v2
Status: On Hold
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sdarwin @julioest @rbbeeston