Open ananya-agarwal opened 1 week ago
Steps that were taken to resolve the CVE:
nvm use 12
(Change the node version to a not so upgraded version)
cd tools/ace-editor
npm install
cd …
hue/make ace
There were no errors/ file changes
changed version of mime from 1.2.x to 1.4.1 manually in tools/ace-editor/package.json
make ace
no major changes (except for some linting issues in sql files->revert those)
And did you manually test Editor after the upgrade and build? Do we know/how when this mime packe is used by the Editor?
And did you manually test Editor after the upgrade and build? Do we know/how when this mime packe is used by the Editor?
There were no code changes after the build so no change to the actual code that the Hue editor uses.
@bjornalm
The editor (Hue UI) was working fine after this change too.
I think you wanna ask about below only:
ace-editor has a dependency on mime (present in just one place here in package.json
)
mime is used in ace-editor (internally) in a file called static.js. The file static.js is responsible for creating a backend server. That file or the backend server created for ace-editor has nothing to do with Hue. So, we don't use mime directly at all in the Hue editor.So, we are all good here.
What changes were proposed in this pull request?
This PR is to fix the CVE on gitHub by dependabot (https://github.com/cloudera/hue/security/dependabot/26) This involves upgrading mime (used as a dependency by ace-editor) version from 1.2.x to 1.4.1
How was this patch tested?
Changed version of mime from 1.2.x to 1.4.1 and no changes in the files were seen.
Please review Hue Contributing Guide before opening a pull request.