Skip to content

Dedupe & update idp service JS dependencies#2496

Open
pascalwengerter wants to merge 3 commits intoopencloud-eu:mainfrom
pascalwengerter:fix/2460
Open

Dedupe & update idp service JS dependencies#2496
pascalwengerter wants to merge 3 commits intoopencloud-eu:mainfrom
pascalwengerter:fix/2460

Conversation

@pascalwengerter
Copy link
Contributor

@pascalwengerter pascalwengerter commented Mar 19, 2026

Description

  1. pnpm dedupe — removed 35 duplicate packages
  2. pnpm update — updated all direct dependencies within semver ranges (axios, i18next, typescript, @babel/core, etc.)
  3. Added pnpm.overrides for serialize-javascript@<7.0.3 → >=7.0.3 to fix the high-severity RCE vulnerability in transitive deps of css-minimizer-webpack-plugin and workbox-webpack-plugin

Related Issue

@rhafer
Copy link
Member

rhafer commented Mar 19, 2026

@pascalwengerter the licensechecker is failing with:

Package "i18next-conv@15.1.2" is licensed under "Custom: LICENSE.MD" which is not permitted by the --onlyAllow flag. Exiting.

I guess it's just a matter of updating services/idp/license-checker-clarifications.json with the new version number.

@pascalwengerter
Copy link
Contributor Author

pascalwengerter commented Mar 19, 2026

@pascalwengerter the licensechecker is failing with:

Package "i18next-conv@15.1.2" is licensed under "Custom: LICENSE.MD" which is not permitted by the --onlyAllow flag. Exiting.

I guess it's just a matter of updating services/idp/license-checker-clarifications.json with the new version number.

@rhafer thanks for the swift reply, addressed that and found another JS-related improvement 🤓

rhafer
rhafer requested changes Mar 23, 2026
View reviewed changes
Copy link
Member

@rhafer rhafer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Small note about the used image. Looks good otherwise.

Dockerfile Outdated


FROM owncloudci/nodejs:18 AS generate
FROM owncloudci/nodejs:22 AS generate
Copy link
Member

@rhafer rhafer Mar 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch. I think we should switch to "quay.io/opencloudeu/nodejs-ci:24" though. (That is also what we use in the builds steps in CI)

@rhafer
Copy link
Member

rhafer commented Mar 23, 2026

@pascalwengerter Sorry for the inconvenience, but I think you need to rebase the PR on top of latest main once more. We added some change regarding branch protection to the CI recently that prevent this PR from being merged. A rebase should fix that.

@sonarqubecloud
Copy link

sonarqubecloud bot commented Mar 23, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@pascalwengerter
Copy link
Contributor Author

pascalwengerter commented Mar 23, 2026

@pascalwengerter Sorry for the inconvenience, but I think you need to rebase the PR on top of latest main once more. We added some change regarding branch protection to the CI recently that prevent this PR from being merged. A rebase should fix that.

@rhafer no problem, could've rebased before adding the comment earlier. Done so now

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rhafer rhafer rhafer approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Address dependabot alert for services/idp

2 participants

@pascalwengerter @rhafer