Update packages due to security warnings

[rcheetham]

We've accumulated a bunch of security warnings via dependabot (https://github.com/opendataphilly/opendataphilly-jkan/security). There are 14 of them, but multiple items are tied to common components. Here is the summarized list of the updates currently needed:

In 'Gemfile.lock"

• gem "webrick", ">= 1.8.2"
• gem "google-protobuf", ">= 3.25.5"
• gem "rexml", ">= 3.3.9"

In 'import/requirements.txt'

• requests>=2.32.0

In 'package-lock.json'

• "jquery": ">=3.5.0"
• "braces": ">=3.0.3"
• "json5": ">=2.2.2"

[BryanQuigley]

last time I evaluated none of them really would have any impact, but it has been quite a while.

there have been multiple attempts to drop some of the bigger dependencies upstream - namely jquery which increased in size in the newer versions.

will circle back

[BryanQuigley]

didn't seem to increase size of js - doing upstream here: timwis/jkan#291

[rcheetham]

The requests library at:

• 'import/requirements.txt'
  • requests>=2.32.0

still seems to be at 2.28.2

[BryanQuigley]

That's for the ckan to jkan importer. It's not code that's used at any stage of the site today.

I'm thinking just ignore it -unless someone asks us for help to bring their site from CKAN to JKAN?

[rcheetham]

Thanks. I'm going to close the Dependabot alerts and indicate the code was only used for migration.