utku-ozturk
commented
1 year ago Changes mostly look good. You know how I feel about cypress
.wait()s (re: my other recent reviews), so I won't belabor that point. I understand you probably don't have time to go through all of these that already exist and update them. But maybe try to prevent adding more in the future.
@Bianca-Morris FYI, I added a comment here: https://github.com/4dn-dcic/fourfront/pull/1804#issuecomment-1553081027
This PR mainly focuses on the
jsonwebtokentojosetransition, which is used for signing and verifying JWT tokens in Cypress tests.The portal currently uses
jsonwebtokenv8.5.1to run login4DN command in Cypress tests. On the other hand, it is reported as vulnerable according to CVE reports. v9 is the recommended version, but it doesn't work on the browser anymore: Starting with v9, it signs secrets using KeyObject which is defined innode.js/cryptopackage. Auth0 recommends switching to one of those libraries listed in the JWT site. We chosejose, that is frequently updated and has a high Snyk score.Secondly, Cypress has a major upgrade and breaking changes in v12. (Current version on portal is v10). While we are updating, login4DN and JWT updates, we also completed v12 migration. There are breaking changes (isolation, intercept, within and session), all tests affected are updated.