You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@superset.apache.org by GitBox <gi...@apache.org> on 2022/01/14 21:53:46 UTC
[GitHub] [superset] VisaLilyFeng opened a new pull request #18057: fix(Vulnerable dependency): dependency version update for jquery and bootstrap
VisaLilyFeng opened a new pull request #18057:
URL: https://github.com/apache/superset/pull/18057
### SUMMARY
1, The application is running a vulnerable version of jQuery, v3.4.1, which was released on May 1, 2019.
https://snyk.io/test/npm/jquery/3.4.1
Impact
The noted version of the product is vulnerable to cross-site scripting.
2, The application is running a vulnerable version of Bootstrap v3.4.1, which was released on February 15, 2019.
Impact
The noted version of the product is vulnerable to cross-site scripting attacks. However this vulnerability was not identified during this test and the finding is based on the vulnerable version returned, hence warrants a low severity rating.
CVE ID:
• CVE-2019-8331
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [superset] nytai commented on a change in pull request #18057: fix(Vulnerable dependency): dependency version update for jquery and bootstrap
Posted by GitBox <gi...@apache.org>.
nytai commented on a change in pull request #18057:
URL: https://github.com/apache/superset/pull/18057#discussion_r785350111
##########
File path: superset-frontend/package.json
##########
@@ -113,7 +113,7 @@
"antd": "^4.9.4",
"array-move": "^2.2.1",
"babel-plugin-typescript-to-proptypes": "^2.0.0",
- "bootstrap": "^3.4.1",
+ "bootstrap": "^5.1.1",
Review comment:
We removed bootstrap from the frontend, are we exposing this package anywhere or just using the styles? I only see references to it in `package.*.json`
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [superset] etr2460 commented on a change in pull request #18057: fix(Vulnerable dependency): dependency version update for jquery and bootstrap
Posted by GitBox <gi...@apache.org>.
etr2460 commented on a change in pull request #18057:
URL: https://github.com/apache/superset/pull/18057#discussion_r785248973
##########
File path: superset-frontend/package.json
##########
@@ -113,7 +113,7 @@
"antd": "^4.9.4",
"array-move": "^2.2.1",
"babel-plugin-typescript-to-proptypes": "^2.0.0",
- "bootstrap": "^3.4.1",
+ "bootstrap": "^5.1.1",
Review comment:
bootstrap is only used to enable menus from FAB to work. So 2 questions:
1. Do we still need this, or have we replaced the FAB menus everywhere?
2. Do we need to ensure FAB is using bootstrap v5 before we make this upgrade?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [superset] VisaLilyFeng commented on a change in pull request #18057: fix(Vulnerable dependency): dependency version update for jquery and bootstrap
Posted by GitBox <gi...@apache.org>.
VisaLilyFeng commented on a change in pull request #18057:
URL: https://github.com/apache/superset/pull/18057#discussion_r785256321
##########
File path: superset-frontend/package.json
##########
@@ -113,7 +113,7 @@
"antd": "^4.9.4",
"array-move": "^2.2.1",
"babel-plugin-typescript-to-proptypes": "^2.0.0",
- "bootstrap": "^3.4.1",
+ "bootstrap": "^5.1.1",
Review comment:
> The examples are using 4.2.1, perhaps we need that here too: https://github.com/dpgaspar/Flask-AppBuilder/blob/27b15e59316e85e0fe62b8aa9978391ed4c729c9/examples/react-rest-api/app/static/package.json#L7
>
> Not sure if that has the vuln fixed in it or not
According to CVE-2019-8331 the issue fixed in version 4.3.1
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [superset] etr2460 commented on a change in pull request #18057: fix(Vulnerable dependency): dependency version update for jquery and bootstrap
Posted by GitBox <gi...@apache.org>.
etr2460 commented on a change in pull request #18057:
URL: https://github.com/apache/superset/pull/18057#discussion_r785249346
##########
File path: superset-frontend/package.json
##########
@@ -113,7 +113,7 @@
"antd": "^4.9.4",
"array-move": "^2.2.1",
"babel-plugin-typescript-to-proptypes": "^2.0.0",
- "bootstrap": "^3.4.1",
+ "bootstrap": "^5.1.1",
Review comment:
The examples are using 4.2.1, perhaps we need that here too: https://github.com/dpgaspar/Flask-AppBuilder/blob/27b15e59316e85e0fe62b8aa9978391ed4c729c9/examples/react-rest-api/app/static/package.json#L7
Not sure if that has the vuln fixed in it or not
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [superset] VisaLilyFeng commented on a change in pull request #18057: fix(Vulnerable dependency): dependency version update for jquery and bootstrap
Posted by GitBox <gi...@apache.org>.
VisaLilyFeng commented on a change in pull request #18057:
URL: https://github.com/apache/superset/pull/18057#discussion_r785256321
##########
File path: superset-frontend/package.json
##########
@@ -113,7 +113,7 @@
"antd": "^4.9.4",
"array-move": "^2.2.1",
"babel-plugin-typescript-to-proptypes": "^2.0.0",
- "bootstrap": "^3.4.1",
+ "bootstrap": "^5.1.1",
Review comment:
According to CVE-2019-8331 the issue fixed in version 4.3.1
> The examples are using 4.2.1, perhaps we need that here too: https://github.com/dpgaspar/Flask-AppBuilder/blob/27b15e59316e85e0fe62b8aa9978391ed4c729c9/examples/react-rest-api/app/static/package.json#L7
>
> Not sure if that has the vuln fixed in it or not
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [superset] codecov[bot] commented on pull request #18057: fix(Vulnerable dependency): dependency version update for jquery and bootstrap
Posted by GitBox <gi...@apache.org>.
codecov[bot] commented on pull request #18057:
URL: https://github.com/apache/superset/pull/18057#issuecomment-1013755580
# [Codecov](https://codecov.io/gh/apache/superset/pull/18057?src=pr&el=h1&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) Report
> Merging [#18057](https://codecov.io/gh/apache/superset/pull/18057?src=pr&el=desc&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) (b2f32e0) into [master](https://codecov.io/gh/apache/superset/commit/7728db741049e16cb81d87a50853436f22380ed9?el=desc&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) (7728db7) will **not change** coverage.
> The diff coverage is `n/a`.
[![Impacted file tree graph](https://codecov.io/gh/apache/superset/pull/18057/graphs/tree.svg?width=650&height=150&src=pr&token=KsB0fHcx6l&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation)](https://codecov.io/gh/apache/superset/pull/18057?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation)
```diff
@@ Coverage Diff @@
## master #18057 +/- ##
=======================================
Coverage 66.34% 66.34%
=======================================
Files 1569 1569
Lines 61687 61687
Branches 6241 6241
=======================================
Hits 40927 40927
Misses 19162 19162
Partials 1598 1598
```
| Flag | Coverage Δ | |
|---|---|---|
| javascript | `50.92% <ø> (ø)` | |
Flags with carried forward coverage won't be shown. [Click here](https://docs.codecov.io/docs/carryforward-flags?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#carryforward-flags-in-the-pull-request-comment) to find out more.
------
[Continue to review full report at Codecov](https://codecov.io/gh/apache/superset/pull/18057?src=pr&el=continue&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation).
> **Legend** - [Click here to learn more](https://docs.codecov.io/docs/codecov-delta?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation)
> `Δ = absolute <relative> (impact)`, `ø = not affected`, `? = missing data`
> Powered by [Codecov](https://codecov.io/gh/apache/superset/pull/18057?src=pr&el=footer&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation). Last update [7728db7...b2f32e0](https://codecov.io/gh/apache/superset/pull/18057?src=pr&el=lastupdated&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation). Read the [comment docs](https://docs.codecov.io/docs/pull-request-comments?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [superset] etr2460 commented on a change in pull request #18057: fix(Vulnerable dependency): dependency version update for jquery and bootstrap
Posted by GitBox <gi...@apache.org>.
etr2460 commented on a change in pull request #18057:
URL: https://github.com/apache/superset/pull/18057#discussion_r788943801
##########
File path: superset-frontend/package.json
##########
@@ -113,7 +113,7 @@
"antd": "^4.9.4",
"array-move": "^2.2.1",
"babel-plugin-typescript-to-proptypes": "^2.0.0",
- "bootstrap": "^3.4.1",
+ "bootstrap": "^5.1.1",
Review comment:
I believe we're still using this for anything FAB template related that hasn't been replaced. Perhaps in the CSV upload page?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [superset] etr2460 commented on a change in pull request #18057: fix(Vulnerable dependency): dependency version update for jquery and bootstrap
Posted by GitBox <gi...@apache.org>.
etr2460 commented on a change in pull request #18057:
URL: https://github.com/apache/superset/pull/18057#discussion_r785249006
##########
File path: superset-frontend/package.json
##########
@@ -113,7 +113,7 @@
"antd": "^4.9.4",
"array-move": "^2.2.1",
"babel-plugin-typescript-to-proptypes": "^2.0.0",
- "bootstrap": "^3.4.1",
+ "bootstrap": "^5.1.1",
Review comment:
cc @dpgaspar
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org