Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[dashboard] Upgrade react-scripts to latest version due to vulnerable dependencies #4502

Closed
castelblanque opened this issue Mar 25, 2022 · 3 comments
Closed

[dashboard] Upgrade react-scripts to latest version due to vulnerable dependencies #4502

castelblanque opened this issue Mar 25, 2022 · 3 comments
Labels
component/ui Issue related to kubeapps UI kind/enhancement An issue that reports an enhancement for an implemented feature
Milestone
Technical debt

Comments

@castelblanque
Copy link
Collaborator

Description:

Currently Dashboard is using react-scripts v4.0.3.
When running yarn audit, 27 vulnerabilities are found:

21 vulnerabilities found - Packages audited: 2476
Severity: 2 Low | 10 Moderate | 8 High | 1 Critical

19 out of those 21 are related to react-scripts.
Some of those vulnerabilities can be found also in Dependabot's security report here.

Upgrading to v5 should fix most of the vulnerabilities, but it will require some work.
This version introduces breaking changes, so source code adaptations are needed too.

Dependency-wise, after upgrading to v5, only 3 vulnerabilities are left as of today. Two of them are related to swagger-ui-react.

3 vulnerabilities found - Packages audited: 2028
Severity: 1 Moderate | 2 High
@castelblanque castelblanque moved this to 🗂. Backlog in Kubeapps Mar 25, 2022
@castelblanque castelblanque added component/ui Issue related to kubeapps UI priority/low kind/enhancement An issue that reports an enhancement for an implemented feature labels Mar 25, 2022
@antgamdia
Copy link
Contributor

Thanks for pointing it out.
I did try to perform the upgrade, but I encountered some blockers. There are some unresolved upstream issues we are waiting for, as far as I remember.

See #4018

@castelblanque
Copy link
Collaborator Author

Ok, previously I made a search for issues but none came up when searching react-scripts.
I see in that issue it is only mentioned once, but with a typo: The main problem is react-scrips.
That is why I didn't find it hahaha.
Thanks for pointing to the issue!

We might need to raise the priority of this upgrade, as dependencies of 4.x might fall behind.

@absoludity
Copy link
Contributor

So let's close this one and raise the priority on the other (let's discuss it in the planning).

@castelblanque castelblanque mentioned this issue Mar 28, 2022
Closed
Repository owner moved this from 🗂. Backlog to ✅. Done in Kubeapps Mar 28, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
component/ui Issue related to kubeapps UI kind/enhancement An issue that reports an enhancement for an implemented feature
Projects
None yet
Milestone
Technical debt
Development

No branches or pull requests
3 participants
@absoludity @antgamdia @castelblanque