-
Notifications
You must be signed in to change notification settings - Fork 144
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
USWDS-Site - Snyk: Add postcss override to package.json #2351
Conversation
@@ -96,7 +96,8 @@ | |||
"vinyl-source-stream": "^2.0.0" | |||
}, | |||
"overrides": { | |||
"glob-parent": "6.0.2" | |||
"glob-parent": "6.0.2", | |||
"postcss": "^8.4.31" | |||
}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thinking it would be helpful to have a comment about this override directly in the package.json file. There is not a standard method for adding comments to a json
file, but it is possible if we serve the comment as a data field. Is this anything we are interested in exploring? I feel like it would be easier to add a comment here rather than digging through GitHub or relying on memory to understand why the override is there and what to do with it. Curious what you all think!
}, | |
}, | |
"@overridesComments": { | |
"postcss": "This override should be removed once the related snyk error is resolved in @uswds/compile v1.1.0" | |
}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this could make sense
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like the idea of adding comments close to the code so we don't forget. A new data field might not be necessary if we reference github issues in these types of commits.
My proposal
- Create issue for updating and removing override.
- Schedule issue two sprints out.
- Add override and reference new issue in git commit message. Provides a nice reference in git blame.
Git commit message
- Add postcss override
+ Temporary postcss override. Remove with #ISSUE_NO
Mockup
You can see in the screenshot below. There's a line via git blame (light gray) and on hover we'll get a link to the issue.
@@ -96,7 +96,8 @@ | |||
"vinyl-source-stream": "^2.0.0" | |||
}, | |||
"overrides": { | |||
"glob-parent": "6.0.2" | |||
"glob-parent": "6.0.2", | |||
"postcss": "^8.4.31" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note
I tried to reference a value of$postcss
as described in the npmjs overrides docs, but could not get it to recognize the reference. Not sure why it isn't working.This reference would be useful because the override must match the declared dependency version exactly, and using a reference would mean that whatever is declared in
devDependencies
is the correct version. However, it should be ok to move forward without the reference, we just need to make sure to update the override version whenever we update thepostcss
devDependency
.
"postcss": "$postcss"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice fix. No issues found on install.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Installs correctly and contains 0
vulnerabilities 👍
Summary
Added an override for postcss in the
package.json
file to prevent a snyk error.Problem statement
Running
npx snyk test
results in the following errror:This is a vulnerability related to a subdependency of gulp-sourcemaps, which has has not been updated for 3 years. Because of the dependency's slow update cycle, it is unlikely that this vulnerability will be resolved by
gulp-sourcemaps
.Solution
Creating a temporary override for this sub-dependency will resolve the snyk error while we wait for an update to uswds/compile.
Alternatively, we could update the snyk ignore, but that would require periodic updates every 30 days and would not resolve the vulnerability.
Testing and review