USWDS-Site - POAM: October '24

[mahoneycm]

Summary

Installed available minor and patch updates for direct dependencies.

Related issue

USWDS-Team - POAM: October 2024

Preview link

Preview link →
Resolves https://github.com/uswds/uswds-site/security/dependabot/82
Resolves https://github.com/uswds/uswds-site/security/dependabot/81
Resolves https://github.com/uswds/uswds-site/security/dependabot/66

Major changes

• Major version change from gulp 4 → 5
• Major version change from gulp-cli

Dependency updates

Before:

16 vulnerabilities (8 moderate, 8 high)

After:

3 moderate severity vulnerabilities

Package updates

Dependency name	Old version	New version
cheerio	^1.0.0-rc.12	^1.0.0
eslint-plugin-import	^2.29.1	^2.30.0
express	^4.19.2	^4.21.0
gulp	^4.0.2	^5.0.0
gulp-cli	^2.30	^3.0.0
postcss	^8.4.40	^8.4.47
sass	^1.77.8	^1.78.0
snyk	^1.1292.2	^1.1293.1

Gem updates

Gem name	Old version	New Version
google-protobuf	4.27.3	4.28.1
i18n	1.14.5	1.14.6
jekyll	4.3.3	4.3.4
parallel	1.26.2	1.26.3
rexml	3.3.5	3.3.7
rouge	4.3.0	4.4.0
rspec-core	3.13.0	3.13.1
rspec-expectations	3.13.1	3.13.3
sass-embedded	1.77.8	1.78.0
strscan	3.1.0	--
zeitwerk	2.6.17	2.6.18

Testing and review

1. Run npm install.
2. Run npm run build and confirm there are no build errors.
3. Run various gulp scripts and confirm there are no errors.
4. Run npm start and confirm there are no build errors.
5. Run npm test and confirm there are no errors.
6. No perceived visual regressions.

[mejiaj]

@mahoneycm have we tested and confirmed fonts/assets corruption issue here?

[mahoneycm]

No perceived changes from my initial testing but let me give this another sweep to make sure 👍

[mahoneycm]

Looks like there was an error with some blog post images being encoding in the copyDocImages function!

Resolved in fdc8882 and I haven't found any additional gulp.src() functions that need to be updated.

Builds currently failing due to Node LTS updgrade

[mejiaj]

@mahoneycm build issues should be resolved now, but we have a new snyk error being flagged.

Issues with no direct upgrade or patch:
  ✗ Missing Release of Resource after Effective Lifetime [Medium Severity][https://security.snyk.io/vuln/SNYK-JS-INFLIGHT-6095116] in [email protected]
    introduced by @uswds/[email protected] > [email protected] > [email protected] > [email protected] > [email protected]
  No upgrade or patch available

Source →

[mahoneycm]

@mejiaj thanks for flagging! I looked into seeing if we can resolve the issue in compile. There is already a compile issue automatically created by Snyk but it's a breaking change. Del v7 and up requires ESM syntax.

Added the issue back to our snyk ignore for now but perhaps we should consider updating to ESM in the future?

[amyleadem]

question (non-blocking): I don't think this needs to block this PR, but I wonder if the gulp dependency is needed here since the same version is included in uswds compile.

[annepetersen]

Looks like #2934's getting blocked by this but I'm not confident I can appropriately review this one. @heymatthenry, could you take a look?

[amyleadem]

LGTM!

• Confirmed I can run a clean npm install, npm start, npm run build, and npm run test without error.
• Confirmed that the dependabot alert requirements have been addressed

A couple things:

• I had one non-blocking question about needing the gulp dependency below.
• Can you update the dependency and gem tables in the PR description? They don't seem to match what I see in the changed files

[amyleadem]

question (non-blocking): I don't think this needs to block this PR, but I wonder if the gulp dependency is needed here since the same version is included in uswds compile.

[heymatthenry]

LGTM! Thanks, @mahoneycm!