jsjiang
commented
10 months ago Routine dependency scans ticket: #494
Closed jsjiang closed 9 months ago
jsjiang
commented
10 months ago Routine dependency scans ticket: #494
jsjiang
commented
10 months ago Joel provided fixes and documented changes in Pull request for Update EZID UI build tool packages to fix critical vulnerabilities
jsjiang
commented
10 months ago Deployed branch ui-toolkit-updates on ezid-dev for testing.
jsjiang
commented
10 months ago Functional test by running verify_ezid_after_patching.py: passed
UI tests: Maria and Jing performed UI tests. All look good.
jsjiang
commented
10 months ago jsjiang
commented
10 months ago @JoelCDL Hi Joel, I merged the pull request and the fixes cleared almost all Dependatbot alerts. Great job! Thank you!
There are still two more high security alerts (https://github.com/CDLUC3/ezid/security/dependabot):
I will work on the EZID one. Can you take a look at the UI one and let me know if we need to do anything to clear it.
Thank you
Jing
JoelCDL
commented
10 months ago @jsjiang With the lodash.merge issue, you can click the "Create Dependabot security update" here, then merge in the change: https://github.com/CDLUC3/ezid/security/dependabot/8
jsjiang
commented
10 months ago @JoelCDL Got it. Thank you Joel! -Jing
jsjiang
commented
10 months ago Failed to update lodash.merge due to conflicting dependencies:
Dependabot cannot update lodash.merge to a non-vulnerable version
The latest possible version that can be installed is 3.3.2 because of the following conflicting dependencies:
gulp-lb-include@0.3.1 requires lodash.merge@^3.1.0
gulp-lb-include@0.3.1 requires lodash.merge@^3.3.2 via lb-include@0.3.2
No patched version available for lodash.merge
The earliest fixed version is 4.6.2.Deployed on ezid-prd 12/6.
Apply security updates to the EZID UI packages