Closed jsjiang closed 9 months ago
Routine dependency scans ticket: #494
Joel provided fixes and documented changes in Pull request for Update EZID UI build tool packages to fix critical vulnerabilities
Deployed branch ui-toolkit-updates
on ezid-dev for testing.
Functional test by running verify_ezid_after_patching.py
: passed
UI tests: Maria and Jing performed UI tests. All look good.
@JoelCDL Hi Joel, I merged the pull request and the fixes cleared almost all Dependatbot alerts. Great job! Thank you!
There are still two more high security alerts (https://github.com/CDLUC3/ezid/security/dependabot):
I will work on the EZID one. Can you take a look at the UI one and let me know if we need to do anything to clear it.
Thank you
Jing
@jsjiang With the lodash.merge issue, you can click the "Create Dependabot security update" here, then merge in the change: https://github.com/CDLUC3/ezid/security/dependabot/8
@JoelCDL Got it. Thank you Joel! -Jing
Failed to update lodash.merge
due to conflicting dependencies:
Dependabot cannot update lodash.merge to a non-vulnerable version
The latest possible version that can be installed is 3.3.2 because of the following conflicting dependencies:
gulp-lb-include@0.3.1 requires lodash.merge@^3.1.0
gulp-lb-include@0.3.1 requires lodash.merge@^3.3.2 via lb-include@0.3.2
No patched version available for lodash.merge
The earliest fixed version is 4.6.2.
Deployed on ezid-prd 12/6.
Apply security updates to the EZID UI packages