Skip to content

deps(snyk): update script to prune <0.0.0 and update snapshot#11223

Merged
patrickhulce merged 2 commits into
masterfrom
snyk_script_updates
Aug 6, 2020
Merged

deps(snyk): update script to prune <0.0.0 and update snapshot#11223
patrickhulce merged 2 commits into
masterfrom
snyk_script_updates

Conversation

@patrickhulce

@patrickhulce patrickhulce commented Aug 5, 2020

Copy link
Copy Markdown
Collaborator

Summary
Prevent certain noop changes described in #11144 (comment)

Related Issues/PRs
#11144

@patrickhulce patrickhulce requested a review from a team as a code owner August 5, 2020 15:53
@patrickhulce patrickhulce requested review from Beytoven and removed request for a team August 5, 2020 15:53
@googlebot

googlebot commented Aug 5, 2020

Copy link
Copy Markdown

All (the pull request submitter and all commit authors) CLAs are signed, but one or more commits were authored or co-authored by someone other than the pull request submitter.

We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that by leaving a comment that contains only @googlebot I consent. in this pull request.

Note to project maintainer: There may be cases where the author cannot leave a comment, or the comment is not properly detected as consent. In those cases, you can manually confirm consent of the commit author(s), and set the cla label to yes (if enabled on your project).

ℹ️ Googlers: Go here for more info.

@googlebot

googlebot commented Aug 5, 2020

Copy link
Copy Markdown

CLAs look good, thanks!

ℹ️ Googlers: Go here for more info.

@googlebot googlebot added cla: yes and removed cla: no labels Aug 5, 2020
@googlebot

googlebot commented Aug 5, 2020

Copy link
Copy Markdown

☹️ Sorry, but only Googlers may change the label cla: yes.

paulirish
paulirish approved these changes Aug 5, 2020
View reviewed changes

@paulirish paulirish left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok i was very confused because i thought this PR was just updating the script.

but it's updating the script and rolling the synk snapshot that we got in #11144
i verified each item below.

add "and update snapshot" to the PR title?

Comment thread lighthouse-core/scripts/cleanup-vuln-snapshot.js
Comment thread third-party/snyk/snapshot.json
{"id":"SNYK-JS-DOJO-174933","severity":"medium","semver":{"vulnerable":["<1.2.0"]}},
{"id":"SNYK-JS-DOJO-72305","severity":"medium","semver":{"vulnerable":["<1.14"]}},
{"id":"npm:dojo:20180818","severity":"medium","semver":{"vulnerable":["<1.10.10",">=1.11.0 <1.11.6",">=1.12.0 <1.12.4",">=1.13.0 <1.13.1"]}},
{"id":"npm:dojo:20160523","severity":"medium","semver":{"vulnerable":["<1.1.0"]}},

@paulirish paulirish Aug 5, 2020

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this was went to <0.0.0 so it was removed.

Comment thread third-party/snyk/snapshot.json
{"id":"npm:dojo:20160523","severity":"medium","semver":{"vulnerable":["<1.1.0"]}},
{"id":"npm:dojo:20100614-6","severity":"medium","semver":{"vulnerable":["<1.4.2"]}},
{"id":"npm:dojo:20100614","severity":"medium","semver":{"vulnerable":[">=0.4.0 <0.4.4",">=1.0.0 <1.0.3",">=1.1.0 <1.1.2",">=1.2.0 <1.2.4",">=1.3.0 <1.3.3",">=1.4.0 <1.4.2"]}},
{"id":"npm:dojo:20090409","severity":"medium","semver":{"vulnerable":["<1.1"]}}

@paulirish paulirish Aug 5, 2020

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this one (npm:dojo:20090409) also went to <0.0.0 so it was removed.

Comment thread third-party/snyk/snapshot.json
{"id":"npm:dojo:20180818","severity":"medium","semver":{"vulnerable":["<1.10.10",">=1.11.0 <1.11.6",">=1.12.0 <1.12.4",">=1.13.0 <1.13.1"]}},
{"id":"npm:dojo:20160523","severity":"medium","semver":{"vulnerable":["<1.1.0"]}},
{"id":"npm:dojo:20100614-6","severity":"medium","semver":{"vulnerable":["<1.4.2"]}},
{"id":"npm:dojo:20100614","severity":"medium","semver":{"vulnerable":[">=0.4.0 <0.4.4",">=1.0.0 <1.0.3",">=1.1.0 <1.1.2",">=1.2.0 <1.2.4",">=1.3.0 <1.3.3",">=1.4.0 <1.4.2"]}},

@paulirish paulirish Aug 5, 2020

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this one is the same just dropped its comma.

Comment thread third-party/snyk/snapshot.json
{"id":"npm:knockout:20130701","severity":"medium","semver":{"vulnerable":[">=2.1.0-pre <3.0.0"]}}
],
"lodash":[
{"id":"SNYK-JS-LODASH-567746","severity":"medium","semver":{"vulnerable":["<=4.17.15"]}},

@paulirish paulirish Aug 5, 2020

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this was a deliberate change discussed in the roll: https://github.com/GoogleChrome/lighthouse/pull/11144/files#r459028283

@patrickhulce patrickhulce changed the title deps(snyk): update script to prune <0.0.0 deps(snyk): update script to prune <0.0.0 and update snapshot Aug 5, 2020
@patrickhulce @paulirish
Update lighthouse-core/scripts/cleanup-vuln-snapshot.js
dff9c6b 
Co-authored-by: Paul Irish <paulirish@google.com>
@patrickhulce patrickhulce merged commit 611eb51 into master Aug 6, 2020
@patrickhulce patrickhulce deleted the snyk_script_updates branch August 6, 2020 16:01
radum added a commit to radum/lighthouse that referenced this pull request Aug 13, 2020
@radum
Merge remote-tracking branch 'upstream/master' into master
8554c59 
* upstream/master: (42 commits)
  docs: add Code of Conduct to project (GoogleChrome#11212)
  docs(readme): add related project: lighthouse-viewer (GoogleChrome#11250)
  core(font-size): remove deprecated DOM.getFlattenedDocument (GoogleChrome#11248)
  misc: fix typo in method name (GoogleChrome#11239)
  i18n: make double dollar validation less strict (GoogleChrome#10299)
  misc: rephrase comments to be more inclusive (GoogleChrome#11228)
  misc: tweak gcp scripts to work in google corp (GoogleChrome#11233)
  v6.2.0 (GoogleChrome#11232)
  report: correctly display CLS in budget table (GoogleChrome#11209)
  report: vertically center thumbnails (GoogleChrome#11220)
  i18n: import (GoogleChrome#11225)
  tests: istanbul ignore inpage function (GoogleChrome#11229)
  deps(snyk): update script to prune <0.0.0 and update snapshot (GoogleChrome#11223)
  core(stacks): timeout stack detection (GoogleChrome#11172)
  core(config): unsized-images to default (GoogleChrome#11217)
  core(image-elements): collect CSS sizing, ShadowRoot, & position (GoogleChrome#11188)
  core: add FormElements gatherer (GoogleChrome#11062)
  new_audit: report animations not run on compositor (GoogleChrome#11105)
  tests: update chromestatus expecatations (GoogleChrome#11221)
  deps: update dot-prop secondary dependency (GoogleChrome#11198)
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@paulirish paulirish paulirish approved these changes

@Beytoven Beytoven Awaiting requested review from Beytoven

Assignees

@Beytoven Beytoven

Labels

cla: yes waiting4reviewer

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@patrickhulce @googlebot @paulirish @devtools-bot @Beytoven