You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@superset.apache.org by GitBox <gi...@apache.org> on 2021/11/02 17:28:43 UTC
[GitHub] [superset] villebro opened a new pull request #17325: chore(websocket): bump dependencies
villebro opened a new pull request #17325:
URL: https://github.com/apache/superset/pull/17325
### SUMMARY
Update `superset-websocket` deps to resolve audit warnings + resolve conflicts due to bump to jest 27. After update `npm run test` passed and running Superset with Global Async Queries with websocket server worked as expected.
### AFTER
All vulnerabilities fixed:
```
$ npm audit
found 0 vulnerabilities
```
### BEFORE
Multiple
```
$ npm audit
# npm audit report
ansi-regex >2.1.1 <5.0.1
Severity: moderate
Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
fix available via `npm audit fix`
node_modules/ansi-regex
set-value <4.0.1
Severity: high
Prototype Pollution in set-value - https://github.com/advisories/GHSA-4jqc-8m5r-9rpr
fix available via `npm audit fix --force`
Will install jest@27.3.1, which is a breaking change
node_modules/set-value
cache-base >=0.7.0
Depends on vulnerable versions of set-value
Depends on vulnerable versions of union-value
node_modules/cache-base
base >=0.7.0
Depends on vulnerable versions of cache-base
node_modules/base
snapdragon 0.6.0 - 0.10.1
Depends on vulnerable versions of base
node_modules/snapdragon
braces 2.0.0 - 2.3.2
Depends on vulnerable versions of snapdragon
node_modules/sane/node_modules/braces
expand-brackets 1.0.0 - 2.1.4
Depends on vulnerable versions of snapdragon
node_modules/expand-brackets
extglob 1.0.0 - 2.0.4
Depends on vulnerable versions of snapdragon
node_modules/extglob
micromatch 3.0.0 - 3.1.10
Depends on vulnerable versions of snapdragon
node_modules/sane/node_modules/micromatch
anymatch 2.0.0
Depends on vulnerable versions of micromatch
node_modules/sane/node_modules/anymatch
sane 2.5.0 - 4.1.0
Depends on vulnerable versions of micromatch
node_modules/sane
jest-haste-map 24.0.0-alpha.0 - 26.6.2
Depends on vulnerable versions of sane
node_modules/jest-haste-map
@jest/core <=26.6.3
Depends on vulnerable versions of jest-config
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-snapshot
node_modules/@jest/core
jest 24.2.0-alpha.0 - 26.6.3
Depends on vulnerable versions of @jest/core
Depends on vulnerable versions of jest-cli
node_modules/jest
jest-cli 24.2.0-alpha.0 - 26.6.3
Depends on vulnerable versions of @jest/core
Depends on vulnerable versions of jest-config
node_modules/jest/node_modules/jest-cli
@jest/reporters <=26.6.2
Depends on vulnerable versions of jest-haste-map
node_modules/@jest/reporters
@jest/test-sequencer <=26.6.3
Depends on vulnerable versions of jest-haste-map
node_modules/@jest/test-sequencer
jest-config 24.2.0-alpha.0 - 26.6.3
Depends on vulnerable versions of @jest/test-sequencer
Depends on vulnerable versions of babel-jest
Depends on vulnerable versions of jest-jasmine2
node_modules/jest-config
jest-runner 24.0.0-alpha.0 - 26.6.3
Depends on vulnerable versions of jest-config
Depends on vulnerable versions of jest-haste-map
node_modules/jest-runner
jest-runtime 24.0.0-alpha.0 - 26.6.3
Depends on vulnerable versions of @jest/transform
Depends on vulnerable versions of jest-config
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-snapshot
node_modules/jest-runtime
jest-jasmine2 24.2.0-alpha.0 - 26.6.3
Depends on vulnerable versions of jest-runtime
Depends on vulnerable versions of jest-snapshot
node_modules/jest-jasmine2
@jest/transform <=26.6.2
Depends on vulnerable versions of jest-haste-map
node_modules/@jest/transform
babel-jest 24.2.0-alpha.0 - 26.6.3
Depends on vulnerable versions of @jest/transform
node_modules/babel-jest
jest-snapshot 24.2.0-alpha.0 - 24.5.0 || 26.1.0 - 26.6.2
Depends on vulnerable versions of jest-haste-map
node_modules/jest-snapshot
jest-resolve-dependencies 26.1.0 - 26.6.3
Depends on vulnerable versions of jest-snapshot
node_modules/jest-resolve-dependencies
nanomatch >=0.1.1
Depends on vulnerable versions of snapdragon
node_modules/nanomatch
union-value *
Depends on vulnerable versions of set-value
node_modules/union-value
tmpl <1.0.5
Severity: moderate
Regular Expression Denial of Service in tmpl - https://github.com/advisories/GHSA-jgrx-mgxx-jf9v
fix available via `npm audit fix`
node_modules/tmpl
28 vulnerabilities (2 moderate, 26 high)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
```
### BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF
<!--- Skip this if not applicable -->
### TESTING INSTRUCTIONS
<!--- Required! What steps can be taken to manually verify the changes? -->
### ADDITIONAL INFORMATION
<!--- Check any relevant boxes with "x" -->
<!--- HINT: Include "Fixes #nnn" if you are fixing an existing issue -->
- [ ] Has associated issue:
- [ ] Required feature flags:
- [ ] Changes UI
- [ ] Includes DB Migration (follow approval process in [SIP-59](https://github.com/apache/superset/issues/13351))
- [ ] Migration is atomic, supports rollback & is backwards-compatible
- [ ] Confirm DB migration upgrade and downgrade tested
- [ ] Runtime estimates and downtime expectations provided
- [ ] Introduces new feature or API
- [ ] Removes existing feature or API
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [superset] villebro commented on a change in pull request #17325: chore(websocket): bump dependencies
Posted by GitBox <gi...@apache.org>.
villebro commented on a change in pull request #17325:
URL: https://github.com/apache/superset/pull/17325#discussion_r741686741
##########
File path: superset-websocket/package.json
##########
@@ -16,29 +16,33 @@
"license": "Apache-2.0",
"dependencies": {
"cookie": "^0.4.1",
- "hot-shots": "^8.3.1",
- "ioredis": "^4.16.1",
+ "hot-shots": "^9.0.0",
+ "ioredis": "^4.28.0",
"jsonwebtoken": "^8.5.1",
"uuid": "^8.3.2",
"winston": "^3.3.3",
- "ws": "^7.4.2"
+ "ws": "^8.2.3"
},
"devDependencies": {
- "@types/cookie": "^0.4.0",
- "@types/ioredis": "^4.22.0",
- "@types/jest": "^26.0.20",
- "@types/jsonwebtoken": "^8.5.1",
- "@types/node": "^14.14.22",
- "@types/uuid": "^8.3.0",
- "@types/ws": "^7.4.0",
+ "@types/cookie": "^0.4.1",
+ "@types/ioredis": "^4.27.8",
+ "@types/jest": "^27.0.2",
+ "@types/jsonwebtoken": "^8.5.5",
+ "@types/node": "^16.11.6",
+ "@types/uuid": "^8.3.1",
+ "@types/ws": "^8.2.0",
"@typescript-eslint/eslint-plugin": "^4.19.0",
"@typescript-eslint/parser": "^4.19.0",
- "eslint": "^7.22.0",
- "eslint-config-prettier": "^8.1.0",
- "jest": "^26.6.3",
- "prettier": "2.2.1",
- "ts-jest": "^26.5.3",
+ "eslint": "^7.32.0",
+ "eslint-config-prettier": "^7.1.0",
+ "jest": "^27.3.1",
+ "prettier": "^2.4.1",
Review comment:
`prettier` bumped to same version as `superset-ui` to make monorepo migration easier.
##########
File path: superset-websocket/spec/index.test.ts
##########
@@ -459,6 +459,18 @@ describe('server', () => {
});
});
+ const setReadyState = (ws: WebSocket, value: typeof ws.readyState) => {
+ // workaround for not being able to do
+ // spyOn(instance,'readyState','get').and.returnValue(value);
+ // See for details: https://github.com/facebook/jest/issues/9675
+ Object.defineProperty(ws, 'readyState', {
+ configurable: true,
+ get() {
+ return value;
+ },
+ });
+ };
Review comment:
`WebSocket.readyState` has been made `readonly` in version 8 of `ws`, so the property needs to be mocked.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [superset] villebro merged pull request #17325: chore(websocket): bump dependencies
Posted by GitBox <gi...@apache.org>.
villebro merged pull request #17325:
URL: https://github.com/apache/superset/pull/17325
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [superset] villebro commented on a change in pull request #17325: chore(websocket): bump dependencies
Posted by GitBox <gi...@apache.org>.
villebro commented on a change in pull request #17325:
URL: https://github.com/apache/superset/pull/17325#discussion_r741686741
##########
File path: superset-websocket/package.json
##########
@@ -16,29 +16,33 @@
"license": "Apache-2.0",
"dependencies": {
"cookie": "^0.4.1",
- "hot-shots": "^8.3.1",
- "ioredis": "^4.16.1",
+ "hot-shots": "^9.0.0",
+ "ioredis": "^4.28.0",
"jsonwebtoken": "^8.5.1",
"uuid": "^8.3.2",
"winston": "^3.3.3",
- "ws": "^7.4.2"
+ "ws": "^8.2.3"
},
"devDependencies": {
- "@types/cookie": "^0.4.0",
- "@types/ioredis": "^4.22.0",
- "@types/jest": "^26.0.20",
- "@types/jsonwebtoken": "^8.5.1",
- "@types/node": "^14.14.22",
- "@types/uuid": "^8.3.0",
- "@types/ws": "^7.4.0",
+ "@types/cookie": "^0.4.1",
+ "@types/ioredis": "^4.27.8",
+ "@types/jest": "^27.0.2",
+ "@types/jsonwebtoken": "^8.5.5",
+ "@types/node": "^16.11.6",
+ "@types/uuid": "^8.3.1",
+ "@types/ws": "^8.2.0",
"@typescript-eslint/eslint-plugin": "^4.19.0",
"@typescript-eslint/parser": "^4.19.0",
- "eslint": "^7.22.0",
- "eslint-config-prettier": "^8.1.0",
- "jest": "^26.6.3",
- "prettier": "2.2.1",
- "ts-jest": "^26.5.3",
+ "eslint": "^7.32.0",
+ "eslint-config-prettier": "^7.1.0",
+ "jest": "^27.3.1",
+ "prettier": "^2.4.1",
Review comment:
`prettier` bumped to same version as `superset-ui` to make monorepo migration easier.
##########
File path: superset-websocket/spec/index.test.ts
##########
@@ -459,6 +459,18 @@ describe('server', () => {
});
});
+ const setReadyState = (ws: WebSocket, value: typeof ws.readyState) => {
+ // workaround for not being able to do
+ // spyOn(instance,'readyState','get').and.returnValue(value);
+ // See for details: https://github.com/facebook/jest/issues/9675
+ Object.defineProperty(ws, 'readyState', {
+ configurable: true,
+ get() {
+ return value;
+ },
+ });
+ };
Review comment:
`WebSocket.readyState` has been made `readonly` in version 8 of `ws`, so the property needs to be mocked.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [superset] villebro commented on pull request #17325: chore(websocket): bump dependencies
Posted by GitBox <gi...@apache.org>.
villebro commented on pull request #17325:
URL: https://github.com/apache/superset/pull/17325#issuecomment-958182916
FYI @rusackas as per your recommendation, I also fixed the warnings on the client app.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [superset] villebro commented on a change in pull request #17325: chore(websocket): bump dependencies
Posted by GitBox <gi...@apache.org>.
villebro commented on a change in pull request #17325:
URL: https://github.com/apache/superset/pull/17325#discussion_r741761025
##########
File path: superset-websocket/spec/index.test.ts
##########
@@ -459,6 +459,18 @@ describe('server', () => {
});
});
+ const setReadyState = (ws: WebSocket, value: typeof ws.readyState) => {
+ // workaround for not being able to do
+ // spyOn(instance,'readyState','get').and.returnValue(value);
+ // See for details: https://github.com/facebook/jest/issues/9675
+ Object.defineProperty(ws, 'readyState', {
+ configurable: true,
+ get() {
+ return value;
+ },
+ });
+ };
Review comment:
`WebSocket.readyState` has been made `readonly` in version 8 of `ws`, so the property needs to be mocked.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [superset] villebro merged pull request #17325: chore(websocket): bump dependencies
Posted by GitBox <gi...@apache.org>.
villebro merged pull request #17325:
URL: https://github.com/apache/superset/pull/17325
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [superset] villebro commented on a change in pull request #17325: chore(websocket): bump dependencies
Posted by GitBox <gi...@apache.org>.
villebro commented on a change in pull request #17325:
URL: https://github.com/apache/superset/pull/17325#discussion_r741686741
##########
File path: superset-websocket/package.json
##########
@@ -16,29 +16,33 @@
"license": "Apache-2.0",
"dependencies": {
"cookie": "^0.4.1",
- "hot-shots": "^8.3.1",
- "ioredis": "^4.16.1",
+ "hot-shots": "^9.0.0",
+ "ioredis": "^4.28.0",
"jsonwebtoken": "^8.5.1",
"uuid": "^8.3.2",
"winston": "^3.3.3",
- "ws": "^7.4.2"
+ "ws": "^8.2.3"
},
"devDependencies": {
- "@types/cookie": "^0.4.0",
- "@types/ioredis": "^4.22.0",
- "@types/jest": "^26.0.20",
- "@types/jsonwebtoken": "^8.5.1",
- "@types/node": "^14.14.22",
- "@types/uuid": "^8.3.0",
- "@types/ws": "^7.4.0",
+ "@types/cookie": "^0.4.1",
+ "@types/ioredis": "^4.27.8",
+ "@types/jest": "^27.0.2",
+ "@types/jsonwebtoken": "^8.5.5",
+ "@types/node": "^16.11.6",
+ "@types/uuid": "^8.3.1",
+ "@types/ws": "^8.2.0",
"@typescript-eslint/eslint-plugin": "^4.19.0",
"@typescript-eslint/parser": "^4.19.0",
- "eslint": "^7.22.0",
- "eslint-config-prettier": "^8.1.0",
- "jest": "^26.6.3",
- "prettier": "2.2.1",
- "ts-jest": "^26.5.3",
+ "eslint": "^7.32.0",
+ "eslint-config-prettier": "^7.1.0",
+ "jest": "^27.3.1",
+ "prettier": "^2.4.1",
Review comment:
`prettier` bumped to same version as `superset-ui` to make monorepo migration easier.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [superset] villebro merged pull request #17325: chore(websocket): bump dependencies
Posted by GitBox <gi...@apache.org>.
villebro merged pull request #17325:
URL: https://github.com/apache/superset/pull/17325
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [superset] villebro commented on a change in pull request #17325: chore(websocket): bump dependencies
Posted by GitBox <gi...@apache.org>.
villebro commented on a change in pull request #17325:
URL: https://github.com/apache/superset/pull/17325#discussion_r741686741
##########
File path: superset-websocket/package.json
##########
@@ -16,29 +16,33 @@
"license": "Apache-2.0",
"dependencies": {
"cookie": "^0.4.1",
- "hot-shots": "^8.3.1",
- "ioredis": "^4.16.1",
+ "hot-shots": "^9.0.0",
+ "ioredis": "^4.28.0",
"jsonwebtoken": "^8.5.1",
"uuid": "^8.3.2",
"winston": "^3.3.3",
- "ws": "^7.4.2"
+ "ws": "^8.2.3"
},
"devDependencies": {
- "@types/cookie": "^0.4.0",
- "@types/ioredis": "^4.22.0",
- "@types/jest": "^26.0.20",
- "@types/jsonwebtoken": "^8.5.1",
- "@types/node": "^14.14.22",
- "@types/uuid": "^8.3.0",
- "@types/ws": "^7.4.0",
+ "@types/cookie": "^0.4.1",
+ "@types/ioredis": "^4.27.8",
+ "@types/jest": "^27.0.2",
+ "@types/jsonwebtoken": "^8.5.5",
+ "@types/node": "^16.11.6",
+ "@types/uuid": "^8.3.1",
+ "@types/ws": "^8.2.0",
"@typescript-eslint/eslint-plugin": "^4.19.0",
"@typescript-eslint/parser": "^4.19.0",
- "eslint": "^7.22.0",
- "eslint-config-prettier": "^8.1.0",
- "jest": "^26.6.3",
- "prettier": "2.2.1",
- "ts-jest": "^26.5.3",
+ "eslint": "^7.32.0",
+ "eslint-config-prettier": "^7.1.0",
+ "jest": "^27.3.1",
+ "prettier": "^2.4.1",
Review comment:
`prettier` bumped to same version as `superset-ui` to make monorepo migration easier.
##########
File path: superset-websocket/spec/index.test.ts
##########
@@ -459,6 +459,18 @@ describe('server', () => {
});
});
+ const setReadyState = (ws: WebSocket, value: typeof ws.readyState) => {
+ // workaround for not being able to do
+ // spyOn(instance,'readyState','get').and.returnValue(value);
+ // See for details: https://github.com/facebook/jest/issues/9675
+ Object.defineProperty(ws, 'readyState', {
+ configurable: true,
+ get() {
+ return value;
+ },
+ });
+ };
Review comment:
`WebSocket.readyState` has been made `readonly` in version 8 of `ws`, so the property needs to be mocked.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org