chore: add npm overrides to create-plugin templates#2662
Conversation
Ukochka
requested review from
eledobleefe and
joshhunt
and removed request for
a team
|
Hello! 👋 This repository uses Auto for releasing packages using PR labels. ✨ This PR can be merged. It will not be considered when calculating future versions of the npm packages and will not appear in the changelogs. |
There was a problem hiding this comment.
Pull request overview
This PR updates the @grafana/create-plugin templates to mitigate known transitive dependency vulnerabilities in generated plugins, and refreshes Go template module settings.
Changes:
- Adds an
overridesblock to the common templatepackage.jsonto pin vulnerable transitive dependencies. - Updates backend template Go version directive and bumps several
golang.org/x/*indirect dependencies ingo.modtemplates.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| packages/create-plugin/templates/common/_package.json | Adds npm overrides to pin vulnerable transitive dependencies in generated frontend projects. |
| packages/create-plugin/templates/backend/go.mod | Updates Go toolchain/version directive and bumps several indirect golang.org/x/* module versions. |
| packages/create-plugin/templates/backend-app/go.mod | Same as backend/go.mod for the backend-app template. |
Ukochka
added
javascript
| "overrides": { | ||
| "immutable": "5.1.5", | ||
| "serialize-javascript": "7.0.5", | ||
| "js-cookie": "3.0.7", | ||
| "dompurify": "3.4.6", | ||
| "fast-uri": "3.1.2", | ||
| "@protobufjs/utf8": "1.1.1", | ||
| "qs": "6.15.2", | ||
| "@grafana/ui": { | ||
| "uuid": "11.1.1" | ||
| } |
There was a problem hiding this comment.
I'm not convinced we should be doing this.
These overrides will update the versions of these dependencies across the dependency graph which could cause bugs which are hard to track down in the packages that depend on them.
The overrides property is NPM only. Yarn relies on resolutions whilst PNPM relies on overrides in its pnpm-workspace.yaml file. I think this will create a maintenance burden on us keeping all these in sync.
There was a problem hiding this comment.
Could you suggest another way of moving plugin-examples to SLO? These overrides will work on plugin-examples, because we use npm there, in other cases it will be just ignored, or am I mistaken?
There was a problem hiding this comment.
I would try to fix them at the source so any current consumers also benefit. I imagine most of these are due to our grafana packages pinning dependencies.
This reverts commit 139ce47.
jackw
changed the title
Added npm overrides to fix transitive dependency vulnerabilities.
This affects grafana-plugin-examples, which is generated from this template.
Fixes https://github.com/grafana/grafana-catalog-team/issues/921