Skip to content

Commit

Permalink
Bump sveltejs/vite-plugin-svelte and sveltejs/kit and override cookie (
Browse files Browse the repository at this point in the history 
…#5867)

# Motivation

`npm audit` was pointing out some vulnerabilities:
```
$ npm audit
# npm audit report

@sveltejs/kit  <=2.8.2
@sveltejs/kit vulnerable to on dev mode 404 page - GHSA-rjjv-87mx-6x3h
@sveltejs/kit has unescaped error message included on error page - GHSA-mh2x-fcqh-fmqv
fix available via `npm audit fix`
node_modules/@sveltejs/kit

1 low severity vulnerability

To address all issues, run:
  npm audit fix
```

Unfortunately they couldn't be fixed by `npm audit fix`:
```
$ npm audit fix
package-lock.json was unchanged.
npm ERR! code ERESOLVE
npm ERR! ERESOLVE unable to resolve dependency tree
npm ERR! 
npm ERR! While resolving: @dfinity/[email protected]
npm ERR! Found: [email protected]
npm ERR! node_modules/svelte
npm ERR!   dev svelte@"^4.2.19" from the root project
npm ERR!   peer svelte@"^4.0.0 || ^5.0.0-next.0" from @sveltejs/[email protected]
npm ERR!   node_modules/@sveltejs/kit
npm ERR!     dev @sveltejs/kit@"^2.5.28" from the root project
npm ERR! 
npm ERR! Could not resolve dependency:
npm ERR! peer svelte@"^5.0.0-next.96 || ^5.0.0" from @sveltejs/[email protected]
npm ERR! node_modules/@sveltejs/vite-plugin-svelte
npm ERR!   peer @sveltejs/vite-plugin-svelte@"^3.0.0 || ^4.0.0-next.1" from @sveltejs/[email protected]
npm ERR!   node_modules/@sveltejs/kit
npm ERR!     dev @sveltejs/kit@"^2.5.28" from the root project
npm ERR! 
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
npm ERR! 
npm ERR! 
npm ERR! For a full report see:
npm ERR! /Users/dskloet/.npm/_logs/2024-11-27T15_15_55_672Z-eresolve-report.txt

npm ERR! A complete log of this run can be found in:
npm ERR!     /Users/dskloet/.npm/_logs/2024-11-27T15_15_55_672Z-debug-0.log
```

@peterpeterparker helped me resolve this on Slack:
https://dfinity.slack.com/archives/C01S03NBM7S/p1732720610678769

# Changes

1. Bump sveltejs/vite-plugin-svelte and sveltejs/kit
```
npm rm @sveltejs/kit @sveltejs/vite-plugin-svelte
npm i @sveltejs/[email protected] @sveltejs/[email protected] -D
```
2. Override `cookie` version in `package.json` and run the above `npm`
commands again.

# Tests

1. `npm audit` gives `found 0 vulnerabilities`.
2. Relying on CI.

# Todos

- [ ] Add entry to changelog (if necessary).
not necessary
  • Loading branch information
@dskloetd
dskloetd authored Nov 27, 2024
1 parent 1eb5f9f commit 7d07c35
Show file tree
Hide file tree
Showing 2 changed files with 29 additions and 36 deletions.
59 changes: 25 additions & 34 deletions frontend/package-lock.json
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 4 additions & 2 deletions frontend/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,8 @@
"@playwright/test": "^1.47.1",
"@rollup/plugin-inject": "^5.0.5",
"@sveltejs/adapter-static": "^3.0.5",
"@sveltejs/kit": "^2.5.28",
"@sveltejs/kit": "^2.8.3",
"@sveltejs/vite-plugin-svelte": "^3.1.2",
"@testing-library/jest-dom": "^6.6.2",
"@testing-library/svelte": "^5.2.3",
"@testing-library/user-event": "^14.5.2",
Expand Down Expand Up @@ -86,6 +87,7 @@
"buffer": "^6.0.3"
},
"overrides": {
"semver": "^7.5.3"
"semver": "^7.5.3",
"cookie": "^0.7.0"
}
}

0 comments on commit 7d07c35

Please sign in to comment.