leanupjs / leanup Goto Github PK

Fix all dep versions.

Use ncu instead of npm up.

https://www.npmjs.com/package/npm-check-updates

Issues:

• https://github.com/leanupjs/leanup/runs/1369188090?check_suite_focus=true#step:4:274

We can take the same - with config of webpack-dev-server.

That dist folder becomes much smaller. without public/ frame stuff.

It needs manual handling of webpage

https://www.npmjs.com/package/critters

https://github.com/sonatype-nexus-community/auditjs

The question is ...

Are app assets part of the frame page or not?

Use esbuild for core
Use ??? for lint
Use ts-node for test

Remove the npm warning.

sonatype-nexus-community/copy-modules-webpack-plugin#20

Because it is important, but a Project specific.

It could configured in project webpack.config.js.

Vulnerabilities

DepShield reports that this application's usage of lodash._arraycopy:3.0.0 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

Occurrences

lodash._arraycopy:3.0.0 is a transitive dependency introduced by the following direct dependency(s):

• @leanup/cli:1.0.84
        └─ @leanup/cli-core-e2e:1.0.84
              └─ nightwatch:1.5.1
                    └─ lodash.clone:3.0.3
                          └─ lodash._baseclone:3.3.0
                                └─ lodash._arraycopy:3.0.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Issue: sonatype-nexus-community/copy-modules-webpack-plugin#25
PR: sonatype-nexus-community/copy-modules-webpack-plugin#26

evanw/esbuild#565

npm i -g @leanup/cli @leanup/cli-react

Thanks @developit.

https://github.com/developit/workerize-loader

https://github.com/jorgebucaran/hyperapp

Neutrino is a tool for creating of shared webpack presets and middlwares. If you build your infrastructure with neutrino you have these benefits:

• Zero configuration by default
• Any Webpack setting is customizable by consumers
• Webpack configuration (Neutrino presets) still can be updated from NPM even after the installation
• A lot of community presets (SASS, LESS, Frameworks, Babel, Storybook, Eslint, Jest, etc.)
• You can compose presets and middlewares
• You can create your custom presets and build the next Create React App Killer

For example I have my personal list of middlewares as I share them between a lot of presets for React, Vue, Koa and others https://github.com/constgen/constgen-neutrino

Situation:

• Leanup project with the standard config (e.g. tests are run via mocha)
• Project has a dependency to another project (like a rest-api generated via opengenerator, still in ts form) -> which creates an export for an enum
• If you use this enum in a test, the test cannot be executed anymore as we get a compile error

-> one solution is to let babel take all .ts / .tsx files

Currently the babel.register.js in cli-core-test checks only on only: ['./node_modules/@leanup', './src', './tests']
So it will not take the child project into account.

What would be the holdup to let it scan the whole path, like only: ['./'] (which solves the problem with the enum as the babel loader knows how to handle it). It still only takes files with extension ts & tsx

Vulnerabilities

DepShield reports that this application's usage of lodash.set:4.3.2 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)
• (CVSS 6.5) [CVE-2018-3721] lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutabl...

Occurrences

lodash.set:4.3.2 is a transitive dependency introduced by the following direct dependency(s):

• lerna:3.22.1
        └─ @lerna/version:3.22.1
              └─ @lerna/github-client:3.22.0
                    └─ @octokit/rest:16.43.2
                          └─ lodash.set:4.3.2

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Its only a flag

Vulnerabilities

DepShield reports that this application's usage of lodash._basefor:3.0.3 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

Occurrences

lodash._basefor:3.0.3 is a transitive dependency introduced by the following direct dependency(s):

• @leanup/cli:1.0.84
        └─ @leanup/cli-core-e2e:1.0.84
              └─ nightwatch:1.5.1
                    └─ lodash.clone:3.0.3
                          └─ lodash._baseclone:3.3.0
                                └─ lodash._basefor:3.0.3

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

https://reactjs.org/blog/2020/09/22/introducing-the-new-jsx-transform.html

aurelia/aurelia#982

https://github.com/krasimir/navigo/blob/HEAD/DOCUMENTATION.md

sveltejs/svelte-loader#139

Vulnerabilities

DepShield reports that this application's usage of lodash._baseassign:3.2.0 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

Occurrences

lodash._baseassign:3.2.0 is a transitive dependency introduced by the following direct dependency(s):

• @leanup/cli:1.0.84
        └─ @leanup/cli-core-e2e:1.0.84
              └─ nightwatch:1.5.1
                    └─ lodash.clone:3.0.3
                          └─ lodash._baseclone:3.3.0
                                └─ lodash._baseassign:3.2.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of lodash._getnative:3.9.1 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

Occurrences

lodash._getnative:3.9.1 is a transitive dependency introduced by the following direct dependency(s):

• @leanup/cli:1.0.84
        └─ @leanup/cli-core-e2e:1.0.84
              └─ nightwatch:1.5.1
                    └─ lodash.clone:3.0.3
                          └─ lodash._baseclone:3.3.0
                                └─ lodash.keys:3.1.2
                                      └─ lodash._getnative:3.9.1

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}