Apply security updates to EZID UI packages

[jsjiang]

Apply security updates to the EZID UI packages

[jsjiang]

Routine dependency scans ticket: #494

[jsjiang]

Joel provided fixes and documented changes in Pull request for Update EZID UI build tool packages to fix critical vulnerabilities

[jsjiang]

Deployed branch ui-toolkit-updates on ezid-dev for testing.

[jsjiang]

Functional test by running verify_ezid_after_patching.py: passed
UI tests: Maria and Jing performed UI tests. All look good.

[jsjiang]

• Rushiraji performed UI test on ezid-dev
• Merged pull request
• created release tag v3.2.1 and release note
• deployed v3.2.1 on ezid-stg

[jsjiang]

@JoelCDL Hi Joel, I merged the pull request and the fixes cleared almost all Dependatbot alerts. Great job! Thank you!

There are still two more high security alerts (https://github.com/CDLUC3/ezid/security/dependabot):

• from the UI packages: "Prototype Pollution in lodash.merge"
• from EZID app: ReDos

I will work on the EZID one. Can you take a look at the UI one and let me know if we need to do anything to clear it.

Thank you

Jing

[JoelCDL]

@jsjiang With the lodash.merge issue, you can click the "Create Dependabot security update" here, then merge in the change: https://github.com/CDLUC3/ezid/security/dependabot/8

[jsjiang]

@JoelCDL Got it. Thank you Joel! -Jing

[jsjiang]

Failed to update lodash.merge due to conflicting dependencies:

Dependabot cannot update lodash.merge to a non-vulnerable version
The latest possible version that can be installed is 3.3.2 because of the following conflicting dependencies:

[email protected] requires lodash.merge@^3.1.0
[email protected] requires lodash.merge@^3.3.2 via [email protected]
No patched version available for lodash.merge
The earliest fixed version is 4.6.2.

[jsjiang]

Deployed on ezid-prd 12/6.