-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tech story: Update packages to address dependabot security concerns #63
Conversation
ab1dce8
to
3e4234b
Compare
|
"@storybook/react": "^8.3.0", | ||
"@storybook/react-vite": "^8.3.0", | ||
"@storybook/test": "^8.3.0", | ||
"@storybook/theming": "^8.3.0", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wonder if we could only use one set of storybook dependencies between CM & DLS. (and maybe a couple other packages). DLS is here to stay now, so it could potentially server as a sole provide for some deps (I would only consider devDependencies)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yea would be a benefit if we maintain the monorepo approach where we can have one package.json hoisted that's shared across packages.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👀
Created an internal ticket [M3-8596] for investigating this!
✅ No changes to dist file |
@coliu-akamai Thanks for the suggestions above, I'll tackle those in a separate PR. |
) * remove package json * update packages - will need to upgrade node to fully upgrade @typescript-eslint stuff?? * upgrade node to 18.18 + upgrade typescript/eslint dependencies * update rest of packages that seem safe to update * update node versions for yml files to match updated package.json? hmm
Description 📝
Updates (most) packages to their latest version in order to address the dependabot security concerns. Removes package-lock.json since that is old/not necessary with yarn.lock
Major Changes 🔄
Testing
yarn generate
doesn't result in file differences