You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardexpand all lines: docs/team-process.md
+11-6
Original file line number
Diff line number
Diff line change
@@ -158,9 +158,14 @@ If dependencies have no patch, replace it with an alternative, or wait for the l
158
158
159
159
Below is a list of dependencies that are locked down due to known issues with security, integration problems within DAWSON, etc. Try to update these items but please be aware of the issue that's documented and ensure it's been resolved.
160
160
161
-
-`@fortawesome` packages locked down to versions pre-6.x.x to maintain consistency of icon styling until there is usability feedback and research that determines we should change them. This includes packages:
162
-
-`@fortawesome/free-solid-svg-icons`
163
-
-`@fortawesome/free-regular-svg-icons`
164
-
-`@fortawesome/fontawesome-svg-core`
165
-
166
-
- It'd be good to keep an eye on `s3rver` for when it exceeds 3.7.1. We have a patch in place for called `s3rver+3.7.1.patch` in order to address the high severity issue exposed by `s3rver`'s dependency on `busboy` 0.3.1, which relies on `dicer` that actually has the [security issue](https://github.com/advisories/GHSA-wm7h-9275-46v2). Unfortunately, `busboy` >0.3.1, aka ^1.0.0, is incompatible with s3rver which is why there's a patch in place to make it compatible.
161
+
1.`@fortawesome` packages locked down to versions pre-6.x.x to maintain consistency of icon styling until there is usability feedback and research that determines we should change them. This includes packages:
162
+
-`@fortawesome/free-solid-svg-icons`
163
+
-`@fortawesome/free-regular-svg-icons`
164
+
-`@fortawesome/fontawesome-svg-core`
165
+
166
+
2. Check if there are updates to `s3rver` above version [3.7.1](https://www.npmjs.com/package/s3rver).
167
+
- Why is there a patch called `s3rver+3.7.1.patch`?
168
+
- To address the high severity issue exposed by `s3rver`'s dependency on `busboy` 0.3.1, which relies on `dicer` that actually has the [security issue](https://github.com/advisories/GHSA-wm7h-9275-46v2). Unfortunately, `busboy` >0.3.1, aka ^1.0.0, is incompatible with s3rver which is why there's a patch in place to make it compatible.
169
+
- How does the patch run?
170
+
- This runs as part of the `npm postinstall` step.
171
+
- Common troubleshooting: If you see the high severity audit issue warning for `dicer`, run a full `npm install` rather than a single package update, as this will run the `postinstall` which is required to run the patch that addresses the security issue.
0 commit comments