Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

upgrade moment dependency #6921

Closed
shiftkey opened this issue Feb 22, 2019 · 0 comments · Fixed by #6922
Closed

upgrade moment dependency #6921

shiftkey opened this issue Feb 22, 2019 · 0 comments · Fixed by #6922
Labels
good first issue Issues marked as ideal for a brand new contributor to start with tech-debt Issues and pull requests related to addressing technical debt or improving the codebase
Projects
Community

Comments

@shiftkey
Copy link
Member

I just got a notification about CVE-2017-18214 which was raised against the moment project: moment/moment#4163

We use moment in a few places, and the ReDos vulnerability is an interesting read, but until I hear more I'm going to leave this open for someone to have a go at:

  • upgrading the dependency in app/package.json to 2.19.3 or later

desktop/app/package.json

Line 39 in 6eb4064

"moment": "^2.17.1",

  • run yarn from the root to update the lock file

  • commit both of these changes

  • test out the app to ensure it still renders relative dates correctly

Places to check as part of verifying the upgrade:

  • the history view - each commit shows a relative time in the description up until some limit, then it switches to the absolute time

  • the branches list shows the time of the last commit to each branch

  • the fetch button shows the relative time
@shiftkey shiftkey added tech-debt Issues and pull requests related to addressing technical debt or improving the codebase good first issue Issues marked as ideal for a brand new contributor to start with labels Feb 22, 2019
@iAmWillShepherd iAmWillShepherd added this to Available in Community via automation Feb 22, 2019
@vhashimotoo vhashimotoo mentioned this issue Feb 22, 2019
Merged
@iAmWillShepherd iAmWillShepherd moved this from Available to In progress in Community Feb 22, 2019
Community automation moved this from In progress to Done Mar 8, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
good first issue Issues marked as ideal for a brand new contributor to start with tech-debt Issues and pull requests related to addressing technical debt or improving the codebase
Projects
Community
Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore: Upgrade moment to 2.24.0
1 participant
@shiftkey