Address Vulnerabilities in Admin Portal v1/v2 #2530
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
… frontend to use and support Bootstrap v5. Removed unused libraries in package.json. Cleaned up package.json files.
carlowisse
requested review from
jewzaam,
m1kola,
bennerv,
hawkowl,
rogbas,
petrkotas,
darthhexx,
jharrington22,
cblecker,
facchettos and
cadenmarchese
as code owners
|
LGTM! |
|
Please rebase pull request. |
darthhexx
approved these changes
Nov 10, 2022
|
Good to merge on green E2E. |
Did we check the portal UI with these changes to make sure nothing is broken? I don't want to hold this PR and subsequent Release because of this, but at the same time having a broken portal can cause issues for oncall I guess we can test this once it gets to canary |
|
Hey Karan, yes I tested and re-tested this (locally) after each rebase and after each upgrade to a package to see (if) anything broke and then iteratively fixed as I went. This upgrade did break the v1 portal which is why there are block changes to the frontend code for v1. Nothing much changed for v2 besides it becoming a little faster. |
|
Thanks @carlowisse |
cfsmikedrum
pushed a commit
to CloudFitSoftware/ARO-RP
that referenced
this pull request
Dec 8, 2022
… frontend to use and support Bootstrap v5. Removed unused libraries in package.json. Cleaned up package.json files. (Azure#2530)
cfsmikedrum
pushed a commit
to CloudFitSoftware/ARO-RP
that referenced
this pull request
Dec 8, 2022
… frontend to use and support Bootstrap v5. Removed unused libraries in package.json. Cleaned up package.json files. (Azure#2530)
cfsmikedrum
pushed a commit
to CloudFitSoftware/ARO-RP
that referenced
this pull request
Dec 8, 2022
… frontend to use and support Bootstrap v5. Removed unused libraries in package.json. Cleaned up package.json files. (Azure#2530)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Which issue this PR addresses:
ADO Card
What this PR does / why we need it:
Dependabot picked up on several vulnerabilities in NPM packages used by admin portal v1 and v2. Namely the following 2:
Loader Utils is a bit of a tricky one because we don't call it directly, a few of our dependencies, dependcies require it at version 2 verbatim. While the latest version is 3.2.0, if we force version 3, it breaks build for admin portal v2 as the new version removed a core function that is required by our dependencies dependencies.
However, the developer has updated 2.0.0 to 2.0.3 to address vulnerabilities which I am now forcing all dependencies to use. It does not directly relate to the regex vulnerability, however with good regex practices the vulnerability is mitigated. I also noted that the alert for this vulnerability mentions the use of react-scripts 4.0.3, which we are no longer using anywhere (upgraded to 5.0.3).
More can be read here:
Test plan for issue:
V1
V2
Is there any documentation that needs to be updated for this PR?
No.