Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(websocket): bump dependencies #17325

Merged
merged 3 commits into from
Nov 3, 2021
Merged

chore(websocket): bump dependencies #17325

merged 3 commits into from
Nov 3, 2021

Conversation

villebro
Copy link
Member

@villebro villebro commented Nov 2, 2021
edited
Loading

SUMMARY

Update all deps to most recent versions on superset-websocket to resolve audit warnings. The client-ws-app is also bumped to the most recent package versions, including migrating jade to pug (the project was renamed in 2016 when pug 2 was released). Some tests and type declarations are updated to fix typing errors.

After update npm run test passed and running Superset with Global Async Queries with websocket server worked as expected. Also the client-ws-app worked as expected.

AFTER

All vulnerabilities fixed:

$ pwd
/Users/ville/src/superset/superset-websocket
$ npm audit
found 0 vulnerabilities

$ pwd
/Users/ville/src/superset/superset-websocket/utils/client-ws-app
$ npm audit
found 0 vulnerabilities

BEFORE

Multiple vulnerabilities reported:

$ pwd
/Users/ville/src/superset/superset-websocket
$ npm audit
# npm audit report

ansi-regex  >2.1.1 <5.0.1
Severity: moderate
 Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
fix available via `npm audit fix`
node_modules/ansi-regex

set-value  <4.0.1
Severity: high
Prototype Pollution in set-value - https://github.com/advisories/GHSA-4jqc-8m5r-9rpr
fix available via `npm audit fix --force`
Will install jest@27.3.1, which is a breaking change
node_modules/set-value
  cache-base  >=0.7.0
  Depends on vulnerable versions of set-value
  Depends on vulnerable versions of union-value
  node_modules/cache-base
    base  >=0.7.0
    Depends on vulnerable versions of cache-base
    node_modules/base
      snapdragon  0.6.0 - 0.10.1
      Depends on vulnerable versions of base
      node_modules/snapdragon
        braces  2.0.0 - 2.3.2
        Depends on vulnerable versions of snapdragon
        node_modules/sane/node_modules/braces
        expand-brackets  1.0.0 - 2.1.4
        Depends on vulnerable versions of snapdragon
        node_modules/expand-brackets
        extglob  1.0.0 - 2.0.4
        Depends on vulnerable versions of snapdragon
        node_modules/extglob
        micromatch  3.0.0 - 3.1.10
        Depends on vulnerable versions of snapdragon
        node_modules/sane/node_modules/micromatch
          anymatch  2.0.0
          Depends on vulnerable versions of micromatch
          node_modules/sane/node_modules/anymatch
          sane  2.5.0 - 4.1.0
          Depends on vulnerable versions of micromatch
          node_modules/sane
            jest-haste-map  24.0.0-alpha.0 - 26.6.2
            Depends on vulnerable versions of sane
            node_modules/jest-haste-map
              @jest/core  <=26.6.3
              Depends on vulnerable versions of jest-config
              Depends on vulnerable versions of jest-haste-map
              Depends on vulnerable versions of jest-snapshot
              node_modules/@jest/core
                jest  24.2.0-alpha.0 - 26.6.3
                Depends on vulnerable versions of @jest/core
                Depends on vulnerable versions of jest-cli
                node_modules/jest
                jest-cli  24.2.0-alpha.0 - 26.6.3
                Depends on vulnerable versions of @jest/core
                Depends on vulnerable versions of jest-config
                node_modules/jest/node_modules/jest-cli
              @jest/reporters  <=26.6.2
              Depends on vulnerable versions of jest-haste-map
              node_modules/@jest/reporters
              @jest/test-sequencer  <=26.6.3
              Depends on vulnerable versions of jest-haste-map
              node_modules/@jest/test-sequencer
                jest-config  24.2.0-alpha.0 - 26.6.3
                Depends on vulnerable versions of @jest/test-sequencer
                Depends on vulnerable versions of babel-jest
                Depends on vulnerable versions of jest-jasmine2
                node_modules/jest-config
                  jest-runner  24.0.0-alpha.0 - 26.6.3
                  Depends on vulnerable versions of jest-config
                  Depends on vulnerable versions of jest-haste-map
                  node_modules/jest-runner
                  jest-runtime  24.0.0-alpha.0 - 26.6.3
                  Depends on vulnerable versions of @jest/transform
                  Depends on vulnerable versions of jest-config
                  Depends on vulnerable versions of jest-haste-map
                  Depends on vulnerable versions of jest-snapshot
                  node_modules/jest-runtime
                    jest-jasmine2  24.2.0-alpha.0 - 26.6.3
                    Depends on vulnerable versions of jest-runtime
                    Depends on vulnerable versions of jest-snapshot
                    node_modules/jest-jasmine2
              @jest/transform  <=26.6.2
              Depends on vulnerable versions of jest-haste-map
              node_modules/@jest/transform
                babel-jest  24.2.0-alpha.0 - 26.6.3
                Depends on vulnerable versions of @jest/transform
                node_modules/babel-jest
              jest-snapshot  24.2.0-alpha.0 - 24.5.0 || 26.1.0 - 26.6.2
              Depends on vulnerable versions of jest-haste-map
              node_modules/jest-snapshot
                jest-resolve-dependencies  26.1.0 - 26.6.3
                Depends on vulnerable versions of jest-snapshot
                node_modules/jest-resolve-dependencies
        nanomatch  >=0.1.1
        Depends on vulnerable versions of snapdragon
        node_modules/nanomatch
  union-value  *
  Depends on vulnerable versions of set-value
  node_modules/union-value

tmpl  <1.0.5
Severity: moderate
Regular Expression Denial of Service in tmpl - https://github.com/advisories/GHSA-jgrx-mgxx-jf9v
fix available via `npm audit fix`
node_modules/tmpl

28 vulnerabilities (2 moderate, 26 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

and for client-ws-app:

$ pwd
/Users/ville/src/superset/superset-websocket/utils/client-ws-app
$ npm audit
# npm audit report

clean-css  <4.1.11
Regular Expression Denial of Service in clean-css - https://github.com/advisories/GHSA-wxhq-pm8v-cw75
fix available via `npm audit fix --force`
Will install jade@0.31.2, which is a breaking change
node_modules/clean-css
  jade  >=0.30.0
  Depends on vulnerable versions of clean-css
  Depends on vulnerable versions of constantinople
  Depends on vulnerable versions of transformers
  node_modules/jade

constantinople  <3.1.1
Severity: critical
Sandbox Bypass Leading to Arbitrary Code Execution in constantinople - https://github.com/advisories/GHSA-4vmm-mhcq-4x9j
fix available via `npm audit fix --force`
Will install jade@0.31.2, which is a breaking change
node_modules/constantinople
  jade  >=0.30.0
  Depends on vulnerable versions of clean-css
  Depends on vulnerable versions of constantinople
  Depends on vulnerable versions of transformers
  node_modules/jade

uglify-js  <=2.5.0
Severity: critical
Regular Expression Denial of Service in uglify-js - https://github.com/advisories/GHSA-c9f4-xj24-8jqx
Incorrect Handling of Non-Boolean Comparisons During Minification in uglify-js - https://github.com/advisories/GHSA-34r7-q49f-h37c
fix available via `npm audit fix --force`
Will install jade@0.31.2, which is a breaking change
node_modules/transformers/node_modules/uglify-js
  transformers  2.0.0 - 3.0.1
  Depends on vulnerable versions of uglify-js
  node_modules/transformers
    jade  >=0.30.0
    Depends on vulnerable versions of clean-css
    Depends on vulnerable versions of constantinople
    Depends on vulnerable versions of transformers
    node_modules/jade

5 vulnerabilities (1 low, 4 critical)

To address all issues (including breaking changes), run:
  npm audit fix --force

TESTING INSTRUCTIONS

ADDITIONAL INFORMATION

  • Has associated issue:
  • Required feature flags:
  • Changes UI
  • Includes DB Migration (follow approval process in SIP-59)
    • Migration is atomic, supports rollback & is backwards-compatible
    • Confirm DB migration upgrade and downgrade tested
    • Runtime estimates and downtime expectations provided
  • Introduces new feature or API
  • Removes existing feature or API

@pull-request-size pull-request-size bot added size/S and removed size/XS labels Nov 2, 2021
@villebro
Copy link
Member Author

villebro commented Nov 2, 2021

FYI @rusackas as per your recommendation, I also fixed the warnings on the client app.

@pull-request-size pull-request-size bot added size/M and removed size/S labels Nov 3, 2021
villebro
villebro commented Nov 3, 2021
View reviewed changes
superset-websocket/package.json
"eslint": "^7.32.0",
"eslint-config-prettier": "^7.1.0",
"jest": "^27.3.1",
"prettier": "^2.4.1",
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

prettier bumped to same version as superset-ui to make monorepo migration easier.

villebro
villebro commented Nov 3, 2021
View reviewed changes
superset-websocket/spec/index.test.ts
Comment on lines +462 to +472
const setReadyState = (ws: WebSocket, value: typeof ws.readyState) => {
// workaround for not being able to do
// spyOn(instance,'readyState','get').and.returnValue(value);
// See for details: https://github.com/facebook/jest/issues/9675
Object.defineProperty(ws, 'readyState', {
configurable: true,
get() {
return value;
},
});
};
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WebSocket.readyState has been made readonly in version 8 of ws, so the property needs to be mocked.

kgabryje
kgabryje approved these changes Nov 3, 2021
View reviewed changes
Copy link
Member

@kgabryje kgabryje left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm!

@villebro villebro merged commit 33bcf82 into apache:master Nov 3, 2021
@villebro villebro deleted the villebro/bump-websocket branch November 3, 2021 10:17
AAfghahi pushed a commit that referenced this pull request Jan 10, 2022
@villebro @AAfghahi
chore(websocket): bump dependencies (#17325)
8b91b28 
* chore(websocket): bump dependencies

* bump client-ws-app

* bump more packages
@mistercrunch mistercrunch added 🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels 🚢 1.5.0 labels Mar 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kgabryje kgabryje kgabryje approved these changes

@rusackas rusackas Awaiting requested review from rusackas

Assignees
No one assigned
Labels
🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels preset-io size/M 🚢 1.5.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@villebro @rusackas @kgabryje @mistercrunch