Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update EZID UI build tool packages to fix critical vulnerabilities #520

Merged
merged 6 commits into from
Dec 6, 2023
Merged

Update EZID UI build tool packages to fix critical vulnerabilities #520

merged 6 commits into from
Dec 6, 2023

Conversation

JoelCDL
Copy link
Contributor

@JoelCDL JoelCDL commented Dec 1, 2023

7 node packages have minor and patch updates applied via npm update command. One package has a major version update. These updates clear all vulnerabilities marked as "critical" when running npm audit. There are still 60 vulnerabilities listed in the audit, but all are ranked below critical status.

Included in these updates was this critical issue, which can now be closed: #491

Attempts were made to update the major versions of the 7 packages and lesser versions of others but doing so would break the build tool. Many packages are currently obsolete or no longer maintained.

Scripts for npm were added and build tool instructions clarified to help improve the tool usability. These new scripts should not have broken prior EZID app dependencies or build processes, but this should be verified before merging this PR into production.

The readme here documenting the UI organization and build processes may be out of date and contain information that is no longer relevant: https://github.com/CDLUC3/ezid/blob/main/dev/README

@JoelCDL JoelCDL requested a review from jsjiang December 1, 2023 00:10
@JoelCDL
Copy link
Contributor Author

JoelCDL commented Dec 1, 2023

The current state of the EZID UI is already baked into the application, so it's not necessary to install the build tool (via npm install) or run any of it's commands once this PR is merged.

@jsjiang jsjiang mentioned this pull request Dec 1, 2023
Open
@JoelCDL JoelCDL linked an issue Dec 1, 2023 that may be closed by this pull request
Apply security updates to EZID UI packages #519
Closed
@jsjiang jsjiang mentioned this pull request Dec 4, 2023
Closed
jsjiang
jsjiang approved these changes Dec 5, 2023
View reviewed changes
Copy link
Contributor

@jsjiang jsjiang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes look good. We performed functional and UI tests. All look good.
Thank you Joel!

@rushirajnenuji
Copy link
Contributor

tested these changes on EZID Dev, everything looks good.

@jsjiang jsjiang marked this pull request as ready for review December 6, 2023 14:37
@jsjiang jsjiang merged commit 5c918dd into develop Dec 6, 2023
1 check passed
@jsjiang jsjiang deleted the ui-toolkit-updates branch July 26, 2024 22:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rushirajnenuji rushirajnenuji rushirajnenuji approved these changes

@jsjiang jsjiang jsjiang approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Apply security updates to EZID UI packages
3 participants
@JoelCDL @rushirajnenuji @jsjiang