You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@dolphinscheduler.apache.org by GitBox <gi...@apache.org> on 2022/04/18 14:18:31 UTC

[GitHub] [dolphinscheduler] pjfanning opened a new issue, #9570: [Bug] [UI] multiple insecure npm libs used in UI

pjfanning opened a new issue, #9570:
URL: https://github.com/apache/dolphinscheduler/issues/9570

   ### Search before asking
   
   - [X] I had searched in the [issues](https://github.com/apache/dolphinscheduler/issues?q=is%3Aissue) and found no similar issues.
   
   
   ### What happened
   
   I used dependabot to check dolphinscheduler-ui/package.json
   
   You can also use `npm audit` and `npm audit fix`
   
   Example NPMs that need upgrades
   * axios - https://github.com/advisories/GHSA-cph5-m8f7-6c5x and others
   * jquery - https://github.com/advisories/GHSA-gxr4-xjj5-5px2 and others
   * bootstrap
   * node-sass
   
   
   ### What you expected to happen
   
   secure libs
   
   ### How to reproduce
   
   npm audit
   
   ### Anything else
   
   _No response_
   
   ### Version
   
   dev
   
   ### Are you willing to submit PR?
   
   - [ ] Yes I am willing to submit a PR!
   
   ### Code of Conduct
   
   - [X] I agree to follow this project's [Code of Conduct](https://www.apache.org/foundation/policies/conduct)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@dolphinscheduler.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [dolphinscheduler] zhongjiajie closed issue #9570: [Bug] [UI] multiple insecure npm libs used in dolphinscheduler-ui

Posted by GitBox <gi...@apache.org>.

zhongjiajie closed issue #9570: [Bug] [UI] multiple insecure npm libs used in dolphinscheduler-ui
URL: https://github.com/apache/dolphinscheduler/issues/9570


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@dolphinscheduler.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [dolphinscheduler] github-actions[bot] commented on issue #9570: [Bug] [UI] multiple insecure npm libs used in UI

Posted by GitBox <gi...@apache.org>.

github-actions[bot] commented on issue #9570:
URL: https://github.com/apache/dolphinscheduler/issues/9570#issuecomment-1101445212

   Thank you for your feedback, we have received your issue, Please wait patiently for a reply.
   * In order for us to understand your request as soon as possible, please provide detailed information、version or pictures.
   * If you haven't received a reply for a long time, you can [join our slack](https://join.slack.com/t/asf-dolphinscheduler/shared_invite/zt-omtdhuio-_JISsxYhiVsltmC5h38yfw) and send your question to channel `#troubleshooting`


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@dolphinscheduler.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [dolphinscheduler] songjianet commented on issue #9570: [Bug] [UI] multiple insecure npm libs used in UI

Posted by GitBox <gi...@apache.org>.

songjianet commented on issue #9570:
URL: https://github.com/apache/dolphinscheduler/issues/9570#issuecomment-1101925425

   At present, axios is applied to the new ui and the old ui, but the other three dependencies are currently applied to the old ui, but I don't understand what you mean by unsafe.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@dolphinscheduler.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [dolphinscheduler] songjianet commented on issue #9570: [Bug] [UI] multiple insecure npm libs used in UI

Posted by GitBox <gi...@apache.org>.

songjianet commented on issue #9570:
URL: https://github.com/apache/dolphinscheduler/issues/9570#issuecomment-1102208229

   > > At present, axios is applied to the new ui and the old ui, but the other three dependencies are currently applied to the old ui, but I don't understand what you mean by unsafe.
   > 
   > When I say 'unsafe', I mean there are open security advisories for all the components listed. dolphinscheduler is using old versions of these NPM libs. An example for axios is [GHSA-cph5-m8f7-6c5x](https://github.com/advisories/GHSA-cph5-m8f7-6c5x)
   
   I saw this, but this axios is a security issue less than version 21, which corresponds to our old ui. I don't know how you can deal with this problem. Is it a full upgrade of the dependency of the old ui?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@dolphinscheduler.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [dolphinscheduler] pjfanning commented on issue #9570: [Bug] [UI] multiple insecure npm libs used in UI

Posted by GitBox <gi...@apache.org>.

pjfanning commented on issue #9570:
URL: https://github.com/apache/dolphinscheduler/issues/9570#issuecomment-1102211726

   So 'dolphinscheduler-ui-next' is intended to replace 'dolphinscheduler-ui' soon? If so, then I suppose old versions of NPMs in 'dolphinscheduler-ui' don't need upgrades.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@dolphinscheduler.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [dolphinscheduler] pjfanning commented on issue #9570: [Bug] [UI] multiple insecure npm libs used in UI

Posted by GitBox <gi...@apache.org>.

pjfanning commented on issue #9570:
URL: https://github.com/apache/dolphinscheduler/issues/9570#issuecomment-1102196090

   > At present, axios is applied to the new ui and the old ui, but the other three dependencies are currently applied to the old ui, but I don't understand what you mean by unsafe.
   
   When I say 'unsafe', I mean there are open security advisories for all the components listed. dolphinscheduler is using old versions of these NPM libs. An example for axios is https://github.com/advisories/GHSA-cph5-m8f7-6c5x


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@dolphinscheduler.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [dolphinscheduler] github-actions[bot] commented on issue #9570: [Bug] [UI] multiple insecure npm libs used in dolphinscheduler-ui

Posted by GitBox <gi...@apache.org>.

github-actions[bot] commented on issue #9570:
URL: https://github.com/apache/dolphinscheduler/issues/9570#issuecomment-1132319444

   This issue has been automatically marked as stale because it has not had recent activity for 30 days. It will be closed in next 7 days if no further activity occurs.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@dolphinscheduler.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [dolphinscheduler] zhongjiajie commented on issue #9570: [Bug] [UI] multiple insecure npm libs used in UI

Posted by GitBox <gi...@apache.org>.

zhongjiajie commented on issue #9570:
URL: https://github.com/apache/dolphinscheduler/issues/9570#issuecomment-1102228918

   > So 'dolphinscheduler-ui-next' is intended to replace 'dolphinscheduler-ui' soon? If so, then I suppose old versions of NPMs in 'dolphinscheduler-ui' don't need upgrades.
   
   Actually, In our latest release, dolphinscheduler-3.0.0-alpha, our front end use module `dolphinscheduler-ui-next` instead of `dolphinscheduler-ui`. So I think we should ignore the unsafe issue, and we should discuss the day when we should totally remove the module `dolphinscheduler-ui` to make confuse of our users. (IMO, the time we release version `3.0.0` is a good date to announce it)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@dolphinscheduler.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [dolphinscheduler] zhongjiajie commented on issue #9570: [Bug] [UI] multiple insecure npm libs used in dolphinscheduler-ui

Posted by GitBox <gi...@apache.org>.

zhongjiajie commented on issue #9570:
URL: https://github.com/apache/dolphinscheduler/issues/9570#issuecomment-1132435030

   Seem we just totally remove the old `dolphinscheduler-ui` and rename `dolphinscheduler-ui-next` to  `dolphinscheduler-ui` in #9909, I think this issue could be close, cc @songjianet 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@dolphinscheduler.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org