chore(websocket): bump dependencies #17325

villebro · 2021-11-02T17:28:19Z

SUMMARY

Update all deps to most recent versions on superset-websocket to resolve audit warnings. The client-ws-app is also bumped to the most recent package versions, including migrating jade to pug (the project was renamed in 2016 when pug 2 was released). Some tests and type declarations are updated to fix typing errors.

After update npm run test passed and running Superset with Global Async Queries with websocket server worked as expected. Also the client-ws-app worked as expected.

AFTER

All vulnerabilities fixed:

$ pwd
/Users/ville/src/superset/superset-websocket
$ npm audit
found 0 vulnerabilities

$ pwd
/Users/ville/src/superset/superset-websocket/utils/client-ws-app
$ npm audit
found 0 vulnerabilities

BEFORE

Multiple vulnerabilities reported:

$ pwd
/Users/ville/src/superset/superset-websocket
$ npm audit
# npm audit report

ansi-regex  >2.1.1 <5.0.1
Severity: moderate
 Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
fix available via `npm audit fix`
node_modules/ansi-regex

set-value  <4.0.1
Severity: high
Prototype Pollution in set-value - https://github.com/advisories/GHSA-4jqc-8m5r-9rpr
fix available via `npm audit fix --force`
Will install jest@27.3.1, which is a breaking change
node_modules/set-value
  cache-base  >=0.7.0
  Depends on vulnerable versions of set-value
  Depends on vulnerable versions of union-value
  node_modules/cache-base
    base  >=0.7.0
    Depends on vulnerable versions of cache-base
    node_modules/base
      snapdragon  0.6.0 - 0.10.1
      Depends on vulnerable versions of base
      node_modules/snapdragon
        braces  2.0.0 - 2.3.2
        Depends on vulnerable versions of snapdragon
        node_modules/sane/node_modules/braces
        expand-brackets  1.0.0 - 2.1.4
        Depends on vulnerable versions of snapdragon
        node_modules/expand-brackets
        extglob  1.0.0 - 2.0.4
        Depends on vulnerable versions of snapdragon
        node_modules/extglob
        micromatch  3.0.0 - 3.1.10
        Depends on vulnerable versions of snapdragon
        node_modules/sane/node_modules/micromatch
          anymatch  2.0.0
          Depends on vulnerable versions of micromatch
          node_modules/sane/node_modules/anymatch
          sane  2.5.0 - 4.1.0
          Depends on vulnerable versions of micromatch
          node_modules/sane
            jest-haste-map  24.0.0-alpha.0 - 26.6.2
            Depends on vulnerable versions of sane
            node_modules/jest-haste-map
              @jest/core  <=26.6.3
              Depends on vulnerable versions of jest-config
              Depends on vulnerable versions of jest-haste-map
              Depends on vulnerable versions of jest-snapshot
              node_modules/@jest/core
                jest  24.2.0-alpha.0 - 26.6.3
                Depends on vulnerable versions of @jest/core
                Depends on vulnerable versions of jest-cli
                node_modules/jest
                jest-cli  24.2.0-alpha.0 - 26.6.3
                Depends on vulnerable versions of @jest/core
                Depends on vulnerable versions of jest-config
                node_modules/jest/node_modules/jest-cli
              @jest/reporters  <=26.6.2
              Depends on vulnerable versions of jest-haste-map
              node_modules/@jest/reporters
              @jest/test-sequencer  <=26.6.3
              Depends on vulnerable versions of jest-haste-map
              node_modules/@jest/test-sequencer
                jest-config  24.2.0-alpha.0 - 26.6.3
                Depends on vulnerable versions of @jest/test-sequencer
                Depends on vulnerable versions of babel-jest
                Depends on vulnerable versions of jest-jasmine2
                node_modules/jest-config
                  jest-runner  24.0.0-alpha.0 - 26.6.3
                  Depends on vulnerable versions of jest-config
                  Depends on vulnerable versions of jest-haste-map
                  node_modules/jest-runner
                  jest-runtime  24.0.0-alpha.0 - 26.6.3
                  Depends on vulnerable versions of @jest/transform
                  Depends on vulnerable versions of jest-config
                  Depends on vulnerable versions of jest-haste-map
                  Depends on vulnerable versions of jest-snapshot
                  node_modules/jest-runtime
                    jest-jasmine2  24.2.0-alpha.0 - 26.6.3
                    Depends on vulnerable versions of jest-runtime
                    Depends on vulnerable versions of jest-snapshot
                    node_modules/jest-jasmine2
              @jest/transform  <=26.6.2
              Depends on vulnerable versions of jest-haste-map
              node_modules/@jest/transform
                babel-jest  24.2.0-alpha.0 - 26.6.3
                Depends on vulnerable versions of @jest/transform
                node_modules/babel-jest
              jest-snapshot  24.2.0-alpha.0 - 24.5.0 || 26.1.0 - 26.6.2
              Depends on vulnerable versions of jest-haste-map
              node_modules/jest-snapshot
                jest-resolve-dependencies  26.1.0 - 26.6.3
                Depends on vulnerable versions of jest-snapshot
                node_modules/jest-resolve-dependencies
        nanomatch  >=0.1.1
        Depends on vulnerable versions of snapdragon
        node_modules/nanomatch
  union-value  *
  Depends on vulnerable versions of set-value
  node_modules/union-value

tmpl  <1.0.5
Severity: moderate
Regular Expression Denial of Service in tmpl - https://github.com/advisories/GHSA-jgrx-mgxx-jf9v
fix available via `npm audit fix`
node_modules/tmpl

28 vulnerabilities (2 moderate, 26 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

and for client-ws-app:

$ pwd
/Users/ville/src/superset/superset-websocket/utils/client-ws-app
$ npm audit
# npm audit report

clean-css  <4.1.11
Regular Expression Denial of Service in clean-css - https://github.com/advisories/GHSA-wxhq-pm8v-cw75
fix available via `npm audit fix --force`
Will install jade@0.31.2, which is a breaking change
node_modules/clean-css
  jade  >=0.30.0
  Depends on vulnerable versions of clean-css
  Depends on vulnerable versions of constantinople
  Depends on vulnerable versions of transformers
  node_modules/jade

constantinople  <3.1.1
Severity: critical
Sandbox Bypass Leading to Arbitrary Code Execution in constantinople - https://github.com/advisories/GHSA-4vmm-mhcq-4x9j
fix available via `npm audit fix --force`
Will install jade@0.31.2, which is a breaking change
node_modules/constantinople
  jade  >=0.30.0
  Depends on vulnerable versions of clean-css
  Depends on vulnerable versions of constantinople
  Depends on vulnerable versions of transformers
  node_modules/jade

uglify-js  <=2.5.0
Severity: critical
Regular Expression Denial of Service in uglify-js - https://github.com/advisories/GHSA-c9f4-xj24-8jqx
Incorrect Handling of Non-Boolean Comparisons During Minification in uglify-js - https://github.com/advisories/GHSA-34r7-q49f-h37c
fix available via `npm audit fix --force`
Will install jade@0.31.2, which is a breaking change
node_modules/transformers/node_modules/uglify-js
  transformers  2.0.0 - 3.0.1
  Depends on vulnerable versions of uglify-js
  node_modules/transformers
    jade  >=0.30.0
    Depends on vulnerable versions of clean-css
    Depends on vulnerable versions of constantinople
    Depends on vulnerable versions of transformers
    node_modules/jade

5 vulnerabilities (1 low, 4 critical)

To address all issues (including breaking changes), run:
  npm audit fix --force

TESTING INSTRUCTIONS

ADDITIONAL INFORMATION

Has associated issue:
Required feature flags:
Changes UI
Includes DB Migration (follow approval process in SIP-59)
- Migration is atomic, supports rollback & is backwards-compatible
- Confirm DB migration upgrade and downgrade tested
- Runtime estimates and downtime expectations provided
Introduces new feature or API
Removes existing feature or API

villebro · 2021-11-02T21:31:35Z

FYI @rusackas as per your recommendation, I also fixed the warnings on the client app.

villebro · 2021-11-03T08:05:51Z

superset-websocket/package.json

+    "eslint": "^7.32.0",
+    "eslint-config-prettier": "^7.1.0",
+    "jest": "^27.3.1",
+    "prettier": "^2.4.1",


prettier bumped to same version as superset-ui to make monorepo migration easier.

villebro · 2021-11-03T09:50:24Z

superset-websocket/spec/index.test.ts

+  const setReadyState = (ws: WebSocket, value: typeof ws.readyState) => {
+    // workaround for not being able to do
+    // spyOn(instance,'readyState','get').and.returnValue(value);
+    // See for details: https://github.com/facebook/jest/issues/9675
+    Object.defineProperty(ws, 'readyState', {
+      configurable: true,
+      get() {
+        return value;
+      },
+    });
+  };


WebSocket.readyState has been made readonly in version 8 of ws, so the property needs to be mocked.

kgabryje

lgtm!

* chore(websocket): bump dependencies * bump client-ws-app * bump more packages

chore(websocket): bump dependencies

aad7ab8

superset-github-bot bot added the preset-io label Nov 2, 2021

pull-request-size bot added the size/XS label Nov 2, 2021

villebro requested a review from rusackas November 2, 2021 17:28

rusackas approved these changes Nov 2, 2021

View reviewed changes

bump client-ws-app

188309e

pull-request-size bot added size/S and removed size/XS labels Nov 2, 2021

villebro requested a review from rusackas November 2, 2021 21:30

pull-request-size bot added size/M and removed size/S labels Nov 3, 2021

villebro force-pushed the villebro/bump-websocket branch from f6eab1b to 621ff4c Compare November 3, 2021 08:03

villebro commented Nov 3, 2021

View reviewed changes

villebro force-pushed the villebro/bump-websocket branch from 621ff4c to 4b291ee Compare November 3, 2021 08:07

bump more packages

e350dd2

villebro force-pushed the villebro/bump-websocket branch from 4b291ee to e350dd2 Compare November 3, 2021 08:19

villebro commented Nov 3, 2021

View reviewed changes

kgabryje approved these changes Nov 3, 2021

View reviewed changes

villebro merged commit 33bcf82 into apache:master Nov 3, 2021

villebro deleted the villebro/bump-websocket branch November 3, 2021 10:17

AAfghahi pushed a commit that referenced this pull request Jan 10, 2022

chore(websocket): bump dependencies (#17325)

8b91b28

* chore(websocket): bump dependencies * bump client-ws-app * bump more packages

mistercrunch added 🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels 🚢 1.5.0 labels Mar 13, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(websocket): bump dependencies #17325

chore(websocket): bump dependencies #17325

villebro commented Nov 2, 2021 •

edited

villebro commented Nov 2, 2021

villebro Nov 3, 2021

villebro Nov 3, 2021

kgabryje left a comment

chore(websocket): bump dependencies #17325

chore(websocket): bump dependencies #17325

Conversation

villebro commented Nov 2, 2021 • edited

SUMMARY

AFTER

BEFORE

TESTING INSTRUCTIONS

ADDITIONAL INFORMATION

villebro commented Nov 2, 2021

villebro Nov 3, 2021

Choose a reason for hiding this comment

villebro Nov 3, 2021

Choose a reason for hiding this comment

kgabryje left a comment

Choose a reason for hiding this comment

villebro commented Nov 2, 2021 •

edited