Update node packages to fix security vulnerabilities #2575

akchinSTC · 2022-03-16T18:27:24Z

What changes were proposed in this pull request?

This PR resolves a number of security vulnerabilities

medium

react-dev-utils CVE-2021-24033

high

node-forge CVE-2022-24772, CVE-2022-24771, CVE-2022-24773, CVE-2022-0122,
trim-newlines CVE-2021-33623
ansi-html CVE-2021-23424
ejs CVE-2022-29078
glob-parent CVE-2020-28469

critical

immer CVE-2021-23436 CVE-2021-3757 CVE-2020-28477

How was this pull request tested?

PR was run against the test-ui target test suite.

Developer's Certificate of Origin 1.1

   By making a contribution to this project, I certify that:

   (a) The contribution was created in whole or in part by me and I
       have the right to submit it under the Apache License 2.0; or

   (b) The contribution is based upon previous work that, to the best
       of my knowledge, is covered under an appropriate open source
       license and I have the right under that license to submit that
       work with modifications, whether created in whole or in part
       by me, under the same open source license (unless I am
       permitted to submit under a different license), as indicated
       in the file; or

   (c) The contribution was provided directly to me by some other
       person who certified (a), (b) or (c) and I have not modified
       it.

   (d) I understand and agree that this project and the contribution
       are public and that a record of the contribution (including all
       personal information I submit with it, including my sign-off) is
       maintained indefinitely and may be redistributed consistent with
       this project or the open source license(s) involved.

elyra-bot · 2022-03-16T18:45:33Z

Thanks for making a pull request to Elyra!

To try out this branch on binder, follow this link:

akchinSTC · 2022-03-17T18:51:06Z

Update to use react-scripts v5.0.0 is causing us to pull in a problematic release(v27) causing the ui-tests to fail.
Looks like a fix is in place pending release of jest v28.
See jestjs/jest#11444

karlaspuldaro · 2022-05-10T20:15:34Z

Dependency marked | Version< 4.0.10 | Upgrade to~> 4.0.10
CVE-2022-21680 High severity
CVE-2022-21681 High severity

being addressed upstream - JupyterLab PR #12535

akchinSTC marked this pull request as draft March 16, 2022 18:27

akchinSTC marked this pull request as ready for review March 16, 2022 18:29

akchinSTC marked this pull request as draft March 16, 2022 18:31

akchinSTC marked this pull request as ready for review March 16, 2022 20:30

akchinSTC force-pushed the npm-fixes branch from cbcf889 to 6bf9c29 Compare March 16, 2022 20:31

akchinSTC marked this pull request as draft March 16, 2022 21:29

akchinSTC linked an issue Mar 17, 2022 that may be closed by this pull request

Update out-of-date node packages to address security issues #2565

Closed

akchinSTC added component:build build and build related issues(dependencies and docker) external:Upstream Depended on deliverables in other repos outside the elyra org labels Mar 17, 2022

akchinSTC added the impact:blocked label Apr 5, 2022

akchinSTC force-pushed the npm-fixes branch from f81ec31 to d291e6b Compare April 28, 2022 17:23

akchinSTC force-pushed the npm-fixes branch from d291e6b to 8ba3f47 Compare May 5, 2022 20:28

Test first two resolutions

6adc0c9

akchinSTC force-pushed the npm-fixes branch from 8ba3f47 to 6adc0c9 Compare May 9, 2022 20:17

Update react-scripts to latest non-breaking and regen snapshots

0502731

akchinSTC marked this pull request as ready for review May 9, 2022 21:31

akchinSTC requested a review from marthacryan May 9, 2022 21:33

akchinSTC added 2 commits May 9, 2022 17:04

update react dev utils for immer critical vuln

daca2a5

Update node-forge package to patch vuln

743739f

akchinSTC removed impact:blocked external:Upstream Depended on deliverables in other repos outside the elyra org labels May 10, 2022

akchinSTC added 3 commits May 10, 2022 08:38

add ansi-html vuln fix

d731d11

update ejs transitive for security

80cae93

update glob-parent transitive for security

66ad811

akchinSTC added this to the 3.9.0 milestone May 10, 2022

marthacryan approved these changes May 11, 2022

View reviewed changes

akchinSTC merged commit 5345dc8 into elyra-ai:master May 12, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update node packages to fix security vulnerabilities #2575

Update node packages to fix security vulnerabilities #2575

akchinSTC commented Mar 16, 2022 •

edited

elyra-bot bot commented Mar 16, 2022

akchinSTC commented Mar 17, 2022 •

edited

karlaspuldaro commented May 10, 2022

Update node packages to fix security vulnerabilities #2575

Update node packages to fix security vulnerabilities #2575

Conversation

akchinSTC commented Mar 16, 2022 • edited

What changes were proposed in this pull request?

How was this pull request tested?

elyra-bot bot commented Mar 16, 2022

akchinSTC commented Mar 17, 2022 • edited

karlaspuldaro commented May 10, 2022

akchinSTC commented Mar 16, 2022 •

edited

akchinSTC commented Mar 17, 2022 •

edited