Project

General

Profile

Actions
Copy link

Bug #21719

closed

Upgrade dependencies that have security reports in github

Added by Peter Amstutz 7 months ago. Updated 7 months ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Lucas Di Pentima
Category:
Workbench2
Target version:
Development 2024-05-08 sprint
Story points:
-
Release:
Arvados 3.0
Release relationship:
Auto

Related issues

Related to Arvados - Feature #21704: Eject workbench2 and remove dependency on create-react-appResolvedLisa KnoxActions
Actions
Copy link
 #1

Updated by Peter Amstutz 7 months ago

  • Assigned To set to Lucas Di Pentima
Actions
Copy link
 #2

Updated by Lucas Di Pentima 7 months ago

  • Status changed from New to In Progress
Actions
Copy link
 #3

Updated by Lucas Di Pentima 7 months ago

4d5675e04f @ 21719-deps-security-updates

Updates golang.org/x/net - developer-run-tests: #4185

Actions
Copy link
 #4

Updated by Lucas Di Pentima 7 months ago

  • ejs requires a newer react-scripts version (current version is 4.0.1)
  • loader-utils requires a newer webpack (among others) that in turn requires a newer react-scripts
  • lodash < 4.17.21 is vulnerable to command injection through the template function, but we have 4.17.21 installed so I'll dismiss the alert.
  • webpack-dev-middleware requires a newer webpack-dev-server that in turn requires a newer react-scripts
  • shell-quote & immer require a newer react-dev-utils that in turn requires a newer react-scripts
  • minimatch requires a newer recursive-readdir that in turn requires a newer react-dev-utils
  • scss-tokenizer requires a newer sass-graph that in turn requires a newer node-sass-chokidar. This should be handled in https://dev.arvados.org/issues/21722
  • node-forge requires a newer selfsigned that in turns requires a newer webpack-dev-server (see above)
  • ansi-html also requires a newer webpack-dev-server
  • node-fetch requires a newer isomorphic-fetch that in turn requires a newer fbjs that requires a newer recompose that in turn is a dependency of @material-ui/core, @material-ui/icons and react-dnd (all of these being a direct dependency from package.json, so that's good news!)
  • nth-check has a very long and branched dependency chain that ultimately requires a newer react-scripts
  • glob-parent requires a newer chokidar that requires a newer webpack-dev-server and watchpack-chokidar2 that ultimately depends on webpack and so, on react-scripts

The rest are "moderate" and "low" priority alerts that I'm guessing the majority also depend on react-scripts.

Actions
Copy link
 #5

Updated by Lucas Di Pentima 7 months ago

  • Related to Feature #21704: Eject workbench2 and remove dependency on create-react-app added
Actions
Copy link
 #6

Updated by Lucas Di Pentima 7 months ago

  • Status changed from In Progress to Resolved
Actions
Copy link
 #7

Updated by Peter Amstutz 7 months ago

  • Release set to 70
Actions
Copy link

Also available in: Atom PDF