New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Address Vulnerabilities in Admin Portal v1/v2 #2530
Address Vulnerabilities in Admin Portal v1/v2 #2530
Conversation
… frontend to use and support Bootstrap v5. Removed unused libraries in package.json. Cleaned up package.json files.
LGTM! |
Please rebase pull request. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
Good to merge on green E2E. |
Did we check the portal UI with these changes to make sure nothing is broken? I don't want to hold this PR and subsequent Release because of this, but at the same time having a broken portal can cause issues for oncall I guess we can test this once it gets to canary |
Hey Karan, yes I tested and re-tested this (locally) after each rebase and after each upgrade to a package to see (if) anything broke and then iteratively fixed as I went. This upgrade did break the v1 portal which is why there are block changes to the frontend code for v1. Nothing much changed for v2 besides it becoming a little faster. |
Thanks @carlowisse |
… frontend to use and support Bootstrap v5. Removed unused libraries in package.json. Cleaned up package.json files. (Azure#2530)
… frontend to use and support Bootstrap v5. Removed unused libraries in package.json. Cleaned up package.json files. (Azure#2530)
… frontend to use and support Bootstrap v5. Removed unused libraries in package.json. Cleaned up package.json files. (Azure#2530)
Which issue this PR addresses:
ADO Card
What this PR does / why we need it:
Dependabot picked up on several vulnerabilities in NPM packages used by admin portal v1 and v2. Namely the following 2:
Loader Utils is a bit of a tricky one because we don't call it directly, a few of our dependencies, dependcies require it at version 2 verbatim. While the latest version is 3.2.0, if we force version 3, it breaks build for admin portal v2 as the new version removed a core function that is required by our dependencies dependencies.
However, the developer has updated 2.0.0 to 2.0.3 to address vulnerabilities which I am now forcing all dependencies to use. It does not directly relate to the regex vulnerability, however with good regex practices the vulnerability is mitigated. I also noted that the alert for this vulnerability mentions the use of react-scripts 4.0.3, which we are no longer using anywhere (upgraded to 5.0.3).
More can be read here:
Test plan for issue:
V1
V2
Is there any documentation that needs to be updated for this PR?
No.