fix: strf-8574, bump "hapi" and its modules to fix security issues #617
Conversation
bin/stencil-start
Outdated
| let themePath = process.cwd(); | ||
| let templatePath = Path.join(themePath, 'templates'); | ||
| let dotStencilFilePath = Path.join(themePath, '.stencil'); | ||
| let themeConfigPath = Path.join(themePath, 'config.json'); |
There was a problem hiding this comment.
Is there a reason why these paths can't be const ?
There was a problem hiding this comment.
@junedkazi no, I just didn’t notice that they aren’t further modified :)
bin/stencil-start
Outdated
| proxy: "localhost:" + stencilServerPort, | ||
| tunnel: tunnel, | ||
| }); | ||
| const tunnel = typeof Program.tunnel === 'undefined' |
There was a problem hiding this comment.
we can move this to the top where we define other constants 🍹
| "@hapi/boom": "^8.0.1", | ||
| "@hapi/glue": "^6.2.0", | ||
| "@hapi/good": "^8.2.4", | ||
| "@hapi/good-console": "^8.1.2", |
There was a problem hiding this comment.
This is going to be deprecated soon. See https://www.npmjs.com/package/@hapi/good-console for details.
This is not a blocker but we should investigate and figure out if it is required or we drop the usage in a followup PR.
There was a problem hiding this comment.
Ok, I'll check it on Monday
| @@ -36,11 +36,17 @@ | |||
| "@bigcommerce/stencil-paper": "^3.0.0-rc.29", | |||
| "@bigcommerce/stencil-styles": "1.2.1", | |||
| "@octokit/rest": "^18.0.3", | |||
| "@hapi/boom": "^8.0.1", | |||
| "@hapi/glue": "^6.2.0", | |||
| "@hapi/good": "^8.2.4", | |||
There was a problem hiding this comment.
This is going to be deprecated soon. See https://www.npmjs.com/package/@hapi/good for details.
This is not a blocker but we should investigate and figure out if it is required or we drop the usage in a followup PR.
There was a problem hiding this comment.
Ok, I'll check it on Monday
There was a problem hiding this comment.
@junedkazi I checked, we can drop "@hapi/good" and "@hapi/good-console" since they aren't actually used in this project. I can create a corresponding followup PR when this one gets merged.
| @@ -19,11 +19,12 @@ lab.describe('RawResponse', () => { | |||
| const statusCode = 200; | |||
| let request; | |||
| let response; | |||
| let reply; | |||
| let h; | |||
There was a problem hiding this comment.
@junedkazi From the docs "h" stands for HAPI.
They replaced the reply function with this "Response Toolkit" (h) in v17.
| @@ -14,24 +14,24 @@ const internals = { | |||
| */ | |||
| function RawResponse(data, headers, statusCode) { | |||
|
|
|||
| this.respond = function (request, reply) { | |||
| var payload = data; | |||
| this.respond = function (request, h) { | |||
There was a problem hiding this comment.
@junedkazi From the docs "h" stands for HAPI.
They replaced the reply function with this "Response Toolkit" (h) in v17.
There was a problem hiding this comment.
@MaxGenash I feel this is good to go. Can you create follow up tickets to drop the deprecated packages ?
What?
Bumped outdated versions of "hapi" and its related modules to fix security vulnerabilities.
Modules "h2o2" and "inert" were emitted from "hapi" in the newer versions, so I added them as separate dependencies.
Tickets / Documentation
This PR is a part of STRF-8574