Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Dependencies for Security Issues #173

Merged
merged 4 commits into from
Jul 14, 2024
Merged

Update Dependencies for Security Issues #173

merged 4 commits into from
Jul 14, 2024

Conversation

CanerKaraca23
Copy link
Contributor

This PR updates and refreshes all dependencies to latest versions.

Updating typescript dependency breaks built, a fix from developers will be welcomed and appreciated.

It fixes 11 "known" security issues. 6 high, 4 moderate, 1 low security issue and maybe even more...

@AmyrAhmady
Copy link
Member

AmyrAhmady commented Jul 14, 2024
edited

It doesn't even build
If you manage to fix building issues I'll merge this
Otherwise I see absolutely no reason to update any dependency at all. none of those security issues are even remotely related to our usage

@CanerKaraca23
Copy link
Contributor Author

CanerKaraca23 commented Jul 14, 2024
edited

It doesn't even build If you manage to fix building issues I'll merge this Otherwise I see absolutely no reason to update any dependency at all. none of those security issues are even remotely related to our usage

Downgraded typescript, it should be fine now for merge.

However, even i downgrade typescript and refresh yarn.lock, still fails so i only refreshed cargo. Couldn't manage to fix build issues unfortunately. I expected from developers for fixing.

CVE-2023-42282
CVE-2024-29415

security issues left because of yarn.lock refresh breaks build.

@AmyrAhmady
Copy link
Member

I expected from developers for fixing.

CVE-2023-42282 CVE-2024-29415

security issues left because of yarn.lock refresh breaks build.

When you make a PR, it is expected to make it working. You can add breaking changes and expect it to be merged and make developer responsible to fix it

And regarding those security issues, if you read the details you realize neither of them is used in the project, so it doesn't affect us, just like all the other security issues

@AmyrAhmady AmyrAhmady merged commit 0c0dcb9 into openmultiplayer:master Jul 14, 2024
2 checks passed
@CanerKaraca23
Copy link
Contributor Author

I expected from developers for fixing.
CVE-2023-42282 CVE-2024-29415
security issues left because of yarn.lock refresh breaks build.

When you make a PR, it is expected to make it working. You can add breaking changes and expect it to be merged and make developer responsible to fix it

And regarding those security issues, if you read the details you realize neither of them is used in the project, so it doesn't affect us, just like all the other security issues

Thanks, build passes now.

Keeping dependencies up-to-date is always good i think, not only for security, bug fixes, improvements etc.

@CanerKaraca23 CanerKaraca23 deleted the update branch July 14, 2024 23:13
@openmultiplayer openmultiplayer deleted a comment from CanerKaraca23 Jul 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@CanerKaraca23 @AmyrAhmady